We have encountered additional administrator accounts on clients websites that no one seems to have created or can account for. As part of a WordPress Security Maintenance check the following needs to be done, at minimum:

  • Remove all unaccounted for admin accounts – restrict it to one or two
  • If feasible whitelist yours and the clients static IPs
  • Change the default path to the admin panel
  • Maintain an access log of all logins to the admin panel.
  • Blacklist IPs that repeatedly attempt to gain unauthorised access.
  • Enforce a strong password policy
  • Add Two Factor authentication
Open chat