Never Use Default WordPress Username “Admin”

Unless you specify otherwise, the default WordPress Administrator account username will be:admin. Do you currently log into your WP website or blog as “admin”? If so, you have a simple way to start implementing WordPress Security on your site today: specify a unique, and non-default Administrator account username!

The problem with using the default is that if a hacker wants to gain access to your blog or WordPress website, you have conceded them half the battle. All they (or their automated hacking scripts) need to do is  keep using the “admin” user name with various password combinations. This is called brute force attack, and these attacks are successful far too often, sadly, due to lack of attention to this simple fix.

How To Specify a Unique Administrator Account Username for a New WordPress Installation

If you are installing WordPress from scratch, specify your custom administrator username by toggling the “advanced” installation settings (available in many installation scripts: Fantastico, SimpleScripts, Elefante, etc).

How to Fix your Administrator Username for an Already Existing WordPress Install – The Easy Way

If you already have WordPress installed, and “admin” is your login, the fix is quite simple. Just create a new administrative level user with a better choice for login name. Then log in with the new user credentials and delete the old “admin” user account. This method has the additional benefit of assigning a new actual ID number for your administrative superuser account (the default is always created as ID#1, and it is possible that this could be targeted in a hack attempt also). Don’t worry about any pages or  posts written while you were logged in and operating as “admin”, because when you delete the account, WordPress will prompt you to re-assign them to a new user and this will preserve your previously written content.

How to Fix your Administrator Username for an Already Existing WordPress Install – The Hard Way

You can also rename the default admin username in the WordPress database on the back end.

To make changes manually in your WordPress database, you need a database admin tool. The most common one (often already installed on your hosting account control panel) is phpMyAdmin.

Step 1. Login in to phpMyAdmin

Step 2. Navigate to the table wp_prefix_users table, click on browse,  and locate the “admin” username/ID

Step 3. Click on the edit button which will bring you to a screen that looks like this:


Step 4. Anywhere the column values say “admin”, replace with your new, carefully selected username, then click on go.  Your default admin user ID will be changed.

How to Choose a More Secure Administrative Account Username

Don’t use the default: admin (I just wanted to make that really clear) :0)

It’s probably best not to use something with the word “admin” in it…just in case a determined hacker or virus program is inclined to run permutations of usernames “based” on the default to catch those of us who are not very creative.

Don’t use your site or domain name. I hope the reason for this one was obvious.

Use your own name cautiously. If you sign your posts as Mary Smith, for instance, naming the administrator user as “mary” or “marysmith” puts you at risk. If you feel compelled to use your name, make sure that your name is not utilized anywhere on your website (that includes the about and contact pages, and any signature or tagline you use when you write posts).  You might not even want to do this in case a disgruntled reader or anti-fan had the smarts to do a whois lookup on your domain name, and find your name that way. If you do use some version of your first and/or last name as your account login, then it is a must to create a user “nickname” (a feature of WordPress) to create a publicly displayed author name that is different than your actual user account log in.

And, of course, all the regular username/password security best practices apply here too. Don’t use the same login info on lots of different sites. Don’t use the same login info you use for your banking. Don’t use simple and easy to guess character strings like “abcd1234″ or “0000″…

I know, I know…you can barely keep track of all the usernames and passwords we have to remember. But if you consider the amount of time you spend building and growing your WordPress site, it really is worth the 2 minutes it takes to come up with something original (and yet still memorable). And you’ll be able to breathe easier the next time a WordPress targeted brute force attack virus makes the rounds online.

Be the first to comment

Leave a Reply

Your email address will not be published.