This is a bit off the SEO topic, but is very important in regard to online security, so I’m going to write about it here anyway.
You may be aware that there has been a major attempt to hack WordPress based websites recently, and so it is really important that you do everything you can to keep your website secure.
Some hackers may want to hack your website for the sheer heck of it, not caring that it disrupts peoples livelihoods and may cost some people their homes or businesses, but many others do it for nefarious SEO reasons.
The snoal yadyap (spelt backwards so it doesn’t get picked up by said hackers) market for example has seen a marked rise in the hijacking of websites to promote those tacky products, and it may well be that if your site does get hacked, it may be redirected somewhere less than savoury, and it may have long term repercussions for your websites rankings.
Some sophisticated hacks don’t just show different websites to Google, visitors, etc, they even show different sites to people living in different countries, so the owner of the site may not even know they have been hacked at all.
So it’s really important that you take security seriously and do as much as you can, like installing plugins like Wordfence (where you can limit the number of attempted logins before an IP address is banned), Bullet Proof Security, etc – I highly recommend you install them and use them.
There is however another issue that I have found with WordPress that I don’t like, and despite trying to discuss I keep getting the “you need to choose a strong password” answer from the same people, who don’t seem to take it seriously at all.
Is This a WordPress Vulnerability?
I’m sure if you use WordPress you will have heard over and over “change your user name (i.e. the name you log in with) to something other than “admin””.
This is because “admin” was the default login WordPress created, and so a hacker has half of their job done if you use this standard login – they only need to guess your password.
If you use a different user name and they don’t know it, then it makes their job harder.
However, what is the point of doing that if your WordPress site openly shows your new log in name on the “standard” 404 page?
Don’t you think it makes more sense to hide both your user name AND your password from those who want to break into your website?
Right now if you have the 404 page that lists posts, pages, categories, authors, etc, then that is exactly what it is doing.
All a hacker needs to do is type in a string of gibberish at the end of your URL to get to the 404 page, then hover over the author name, and they are given your log in name.
For example, if your public author name is “idiot” and your log in name is “I_like_giving_my_log_in_name_to_hackers”, then all the hacker has to do is hover over your name – “idiot” and they can see your log in name: “I_like_giving_my_log_in_name_to_hackers”.
It makes no sense to me at all, I can see no reason whatsoever to reveal it to anyone, and it is causing some annoying side effects.
If you have, for example, got Wordfence installed and have limited the number of times someone can try to log in, and the hacker gets it wrong enough times to trip the lock out, then because he is using the actual log in name, you are then locked out of your own site.
Or if you’re a web designer and you have lots of clients, you’ll find many of your clients are locked out of their own sites when they phone you up to complain, and of course once you’ve unlocked them they find they are locked out again 30 minutes later and they get really annoyed – with you!
So, I recommend that you take a look at your 404 page and remove the “author” chunk of it mucho pronto, it’s a headache and a security risk that no one needs, and that doesn’t need to exist.