Username Trickery

July 21, 2021

Video Transcript

Hi there, one of the things that I hackers looking for whenever they’re trying to break into your WordPress site is just how easy it’s going to be to get in. And the more frustration that you can throw their way, the quicker that they’re going to move on to the next site. Now in this class, we’re gonna layer on the frustration with what I call the username trickery.

And you know, for lack of a better name. Now, this is not a mandatory security measure by any means. But let’s get going. And I’ll leave it up to you if you want to put this to work on your site. So after you’ve logged in as the administrator on your site, as I’ve already done here, head on over to users. In the user management page, click on Add New. Or you can do the same thing from here in the left sidebar, now in the username, put in admin, and I know I’m always harping about not using admin as the username for administrator, well, we’re not, we’re just using admin as our trickery username, and all will be revealed, whenever I get to the end of this class. So hang in there. Now the email, more than likely, you’re not going to get any legitimate emails to this email address. So it may be this one, I’ll put in a throwaway email totally up to you fill in the rest of the stuff.

Now, as far as the password, you want to make it a strong password, you want to make these hackers work for a little bit, at least someone who hadn’t regenerate this a couple of times, that’ll work, I’m just going to copy that because we are going to have to log in. So you want to document this. No, I don’t need to send this stuff over to the email address of the subscriber because again, chances are it’s a bogus email address. And we don’t want to change the role just yet. Just leave it as the default subscriber, and click on add new user. And here’s our new user. Oh, and by the way, you’ll notice also that is picking up where we left off at in the prior class where we adjusted the user ID number.

So whatever you adjust yours to, it’s going to be picking up where you left off at now I’ve created a few users in between here and there, if you have not been your user ID number will be the next in sequence after the one that we created in our prior class. And by the way, speaking of the prior class, where we adjust these user IDs, if you really want to layer on the level of frustration, use that same method that we covered in the prior class and change your bogus user back to user one. So whatever ID is in here, just reverse the process that we went through in the prior class, and change it from whatever it says here, back to user ID one, that’ll make it easier for them to guess the username for our bogus admin. And again, all this will start to make sense in just a moment. So just hang in there. Now I’m not going to be changing the user ID. But that’s something that you might want to consider. Again, you may decide not to do this at all, which is fine.

So anyway, with this created, I’ve mentioned the user ID possibility. Let’s go into edit that new user. And now the whenever we come on down to roll, hit the drop down and select no role for this site. Basically, what’s going to happen here, if you haven’t guessed already, whenever the hacker guesses, maybe with a little bit of your help, by changing that Id back to one that the username is admin, they’re getting excited. Now, all they have to do is guess the password.
Let’s assume for a second thorough a smart bot or a smart human. And they’ve been able to figure out your strong password. And they break in, let’s demonstrate what happens now. Let’s go ahead and click on Update user. Now then our newly created user with the username admin now has no role. So let’s open up a private browser sound we’re going to log in as our hacker thinking that they’re about to have some fun with this site they’ve just broken into.

Okay, they see the what appears to be admin toolbar at the top. They’re getting excited now until they realize that there’s nothing up here. They click on the links that are available. And it does absolutely nothing. Because they have no role. All that they can view is their username, the name associated with that user and their ability to log out, click over here. They have access to the same links that anybody does. wordpress.org documentation@wordpress.org and again, they click on my blog, it brings him to my blog. Well, that’s going to bring us to the end of this class on using a little username trickery to stop hackers. Thanks for checking it out and you have a great day.

Previous Lesson

Back to Course

Next Lesson

Username Trickery

Lessons in This Course

Why Hack My Site?

Computer Security

Secure Hosting

Managed Hosting

Secure Auto Install Using cPanel

Secure Manual Install Using cPanel

Monitor Site – Uptime

Backup Plugins

Manual Backup

Security for PHP

Remove User 1

Username Trickery

Hide Admin Username

Hide Any Username

Hide Database Prefix – Method 1

Hide Database Prefix – Method 2

Replace Security Keys – aka Salts

Secure Config PHP file

Customize Log-in Error Message

Brute Force Attacks and Solutions

Remove WordPress Version Number

Has Your Site Been Hacked?

Hacked Site Cleanup

What to do After Cleanup

Site Health Tool

The Good and Bad of Plugins and Themes