If you are like many other WordPress users and use the default admin user account to login and manage your blog, then you are doing something wrong. With power comes grave responsibility.

I remember when I first got into Linux. I heard loads of people shout across the net, "Dont use the root account (superuser account) to admin your server!" I would let out a chuckle, and go on my merry way, knowing fine well, that it was such a mission to have two accounts, until the day I made a mistake and deleted every file on my filesystem; what’s worse is that I did it more than once before learning.

Alot of web attacks are based around a common security vulnerability, called Cross-Site Scripting. In fact, mybeNi, let us know about a bunch of zero-day (new) vulnerabilities affecting WordPress 2.2.1 (latest stable release). We are hoping to chat to him about these soon. If you are using WordPress with your admin account, then your blog is completely open to attack, and it will be possible for the attacker to take it further and compromise your web server.

How is this possible? When using the admin account, WordPress allows you full access to modify files within WordPress as well as uploading files. If an attacker has this level of access, its game over. However, although any level of access is bad, it is possible to minimize the affects of the attack by using Role Management.

Role Management allows you to choose what users have what level of access. Why is this important? Most bloggers only require certain priviledges on their blogs on a day to day basis. These roles might include, posting new posts, managing comments etc. By creating a account with limited roles, it is possible to mitigate the threat. The only time you’ll need to use the admin account is when you require a higher level of access for roles such as, plugin installs.

I found Role Manager from im-web-gefunden an excellent tool for this. Its easy to install, and instructions are found on the website. . . good luck!