WordPress Security Tip: Remove the Admin User
By default WordPress will name the administrator user account as “admin.” If you haven’t changed anything while installing WordPress, that is probably what you use to log in.
The problem with this is evident: if someone wanted to gain access to your blog, all he would need to do is to keep using the “admin” user name with a bunch of passwords combinations. This is called brute force attack, and with automated tools it works quite often.
Whenever installing WordPress from scratch, therefore, remember to use some other name for the administrator user account. If you already have WordPress installed, the fix is quite simple. Just create a new user and set it as administrator. Then log in with that new user and delete the “admin” user. Don’t worry if you have many posts written by that user, WordPress will ask whether you want to delete them or re-assign them to a new user (choose the latter obviously).
As for choosing the new user name, make sure that it is not similar to the name you display publicly on your blog. If you sign your posts as John Doe, for instance, naming the administrator user as “john” or “johndoe” wouldn’t help. You need something that others won’t be able to guess easily.
Browse all articles on the WordPress category
36 Responses to “WordPress Security Tip: Remove the Admin User”
Yes, i always remove the admin user. 😉
Be careful when you remove the user, it removed the content posted by the admin user too. I lost all my content from my website.. also could not restore it as I forget to backup.
Oh good luck,I’m using a separate username.This post will be very useful for new bloggers.Thanx.
You are right. You shouldn’t have to constantly change those things, especially if you are on a lot of blog sites and making a lot of comment s on different online sites. The government needs to do something permenant about these issues. Bye for now and thanks for letting me know of these things. They are of a great help and we need them to help us out and realize the options we all have.
But isn’t there some wordpress plugins that can defend your site against brute force?
With my starting blog, I installed a plugin called bad behavior, which (claims) to protect the blog against brute force and other forms of assault on my site.
Why do I have to delete my (most prized) administrator account?
I didn’t realize such an attack is possible on so obvious an entry point. Now I’ll keep in mind to stop using ‘admin’ whenever I start another blog.
One blog of mine was attacked a few months ago. The hacker did nothing really disastrous aside from just changing the name of the blog and also the theme.
Thanks for this post. This has been very enlightening.
Thanks for the tip….
I have removed it since I started blogging.
Don’t know…. but I never like to put it on the blog.
It’s one of the oldest tricks in the book … and it’s still one of the most effective …
That is a great way to stop hackers from hacking your blog.
Good point, I always delete the Admin user then create a new one then a new author. Use a proper password, don’t use ‘password’!
This is an important thing to do and it helps to make it as hard as possible for others to guess. This one of the first things I changed when I installed WP.
Great article. You can never to safe with your blog. Will use
Hey! Thanks for sharing this! I’d forward this link to all my wordpress friends who’s experiencing the same problem.
One of the first things I do is to change my “nickname”, so the posts show my nickname and not my username. But good advice for deleting the admin username- think that I will do that too!
Last Fall all 14 of my blogs were hacked. I think they all had a common file that was vulnerable since they had different passwords. It was a bit unnerving when I found that they ALL had been hacked- My main concern at that point was did they just attack my blogs or did they get into my C-Panel. I’ve never felt so vulnerable- like someone had broken into my home.
Fortunately (kinda sorta) they only hacked into my blogs and not my C-Panel.
thanks for the tip,
Thanks Daniel so much.
I find WordPress, Live Journal as well as Google and @gmail the hardest sources and I still can’t figure it out. google seemes to not really want a free email customer so therefore goes out of their way to make it nigh to impossible as does the others to get into and stay with them. I find it weird also that some places have stated my email is not valid even though that’s not true. The government can and won’t do anything about the scammers, hackers and worse and i find it bad for those of us who try to stay above the law when the laws do not protect us at all. How can you even call it law? Thanks, I think also people should have a s many different emails as they possibly can, because these third-parties and others need to get a JOB or JUST GO TO JAIL AND NEVER BE LET OUT1
I always change admin on installation simply coz it’s so boring – it’s good to get these security fixes tho’ and will go looking for the plugin mentioned
Use WP Optimize plugin to change username of admin. It works!
I’ve tried to delete the admin user but it’s impossible.
It’s default so I can’t delete normally.
Any other idea?
@Keith, good point. I guess it is recommended to remove the author links as well then.
Blog Ebooks – Claus D Jensen
Did that resently on my blog.
It’s good advice!
Claus D jensen 😀
that issue has actually been bothering me for quite some time, or at least since I installed wordpress all those many weeks ago! thank you for your daily blog tips, keep them coming! xxx
What if you have placed .htaccess file denying access to others for wp-admin?
Thanks a lot for this tip.I was looking the method for this job.
I use another easy method. Using WP-Optimize plugin, I just change admin username to something else!
Confirm with Keith above — author permalinks reveal your username. Even though Kubrick doesn’t user author permalinks (as far as I can recall, at least), it still prints it in a HTML comment, e.g. <!– by Jeremy –> in the .postmetadata box.
By default, WordPress displays your username as the author name below post titles or at the end of your posts, but this is easy to change.
In the Dashboard, under Users > Your Profile in the Name section, use the dropdown menu next to “Display name publicly as” to select one of the options that is not your username.
Be sure to click the Update Profile button to save the change.
I would suggest to use a htaccess protection for the admin folder. In that case an intruder would need four words:
– user of htaccess protection
– password for htaccess
– wordpress admin
– password for wordpress admin
That should be safe.
This is helpful however people can still find out the user names from the author links that many blog users have on their blog, so another good thing would be not sharing the author link.
That said having a good password goes a very long way in thwarting attacks, you should use a mix of lower case, upper case, numbers and special characters, those passwords are almost unguessable.
Arun Basil Lal
Recently, I had a guest post on the same thing. Here are two more ways to change the default user name ‘admin’ –
Comments are closed.