WordPress Security Tip: Remove the Admin User


background image

By default WordPress will name the administrator user account as “admin.” If you haven’t changed anything while installing WordPress, that is probably what you use to log in.

The problem with this is evident: if someone wanted to gain access to your blog, all he would need to do is to keep using the “admin” user name with a bunch of passwords combinations. This is called brute force attack, and with automated tools it works quite often.

Whenever installing WordPress from scratch, therefore, remember to use some other name for the administrator user account. If you already have WordPress installed, the fix is quite simple. Just create a new user and set it as administrator. Then log in with that new user and delete the “admin” user. Don’t worry if you have many posts written by that user, WordPress will ask whether you want to delete them or re-assign them to a new user (choose the latter obviously).

As for choosing the new user name, make sure that it is not similar to the name you display publicly on your blog. If you sign your posts as John Doe, for instance, naming the administrator user as “john” or “johndoe” wouldn’t help. You need something that others won’t be able to guess easily.

Browse all articles on the WordPress category

36 Responses to “WordPress Security Tip: Remove the Admin User”

  • Boerne Search

    Yes, i always remove the admin user. 😉


  • Nathans

    Be careful when you remove the user, it removed the content posted by the admin user too. I lost all my content from my website.. also could not restore it as I forget to backup.

  • Blogoof

    Oh good luck,I’m using a separate username.This post will be very useful for new bloggers.Thanx.

  • Naomi Hamm

    You are right. You shouldn’t have to constantly change those things, especially if you are on a lot of blog sites and making a lot of comment s on different online sites. The government needs to do something permenant about these issues. Bye for now and thanks for letting me know of these things. They are of a great help and we need them to help us out and realize the options we all have.

  • ATP

    But isn’t there some wordpress plugins that can defend your site against brute force?
    With my starting blog, I installed a plugin called bad behavior, which (claims) to protect the blog against brute force and other forms of assault on my site.
    Why do I have to delete my (most prized) administrator account?

  • MJ Ces

    I didn’t realize such an attack is possible on so obvious an entry point. Now I’ll keep in mind to stop using ‘admin’ whenever I start another blog.

    One blog of mine was attacked a few months ago. The hacker did nothing really disastrous aside from just changing the name of the blog and also the theme.

    Thanks for this post. This has been very enlightening.

  • Nikhil

    Thanks for the tip….

    I have removed it since I started blogging.

    Don’t know…. but I never like to put it on the blog.

  • Lex G

    It’s one of the oldest tricks in the book … and it’s still one of the most effective …


  • Joshua Elliot

    That is a great way to stop hackers from hacking your blog.


  • Tom Bradshaw

    Good point, I always delete the Admin user then create a new one then a new author. Use a proper password, don’t use ‘password’!

  • George Serradinho

    This is an important thing to do and it helps to make it as hard as possible for others to guess. This one of the first things I changed when I installed WP.

  • Josh H

    Great article. You can never to safe with your blog. Will use

  • Chester

    Hey! Thanks for sharing this! I’d forward this link to all my wordpress friends who’s experiencing the same problem.

  • Kathy Pop

    One of the first things I do is to change my “nickname”, so the posts show my nickname and not my username. But good advice for deleting the admin username- think that I will do that too!

    Last Fall all 14 of my blogs were hacked. I think they all had a common file that was vulnerable since they had different passwords. It was a bit unnerving when I found that they ALL had been hacked- My main concern at that point was did they just attack my blogs or did they get into my C-Panel. I’ve never felt so vulnerable- like someone had broken into my home.

    Fortunately (kinda sorta) they only hacked into my blogs and not my C-Panel.

    thanks for the tip,
    Kathy Pop

  • Y5CaFe

    Thanks Daniel so much.

  • Naomi Hamm

    I find WordPress, Live Journal as well as Google and @gmail the hardest sources and I still can’t figure it out. google seemes to not really want a free email customer so therefore goes out of their way to make it nigh to impossible as does the others to get into and stay with them. I find it weird also that some places have stated my email is not valid even though that’s not true. The government can and won’t do anything about the scammers, hackers and worse and i find it bad for those of us who try to stay above the law when the laws do not protect us at all. How can you even call it law? Thanks, I think also people should have a s many different emails as they possibly can, because these third-parties and others need to get a JOB or JUST GO TO JAIL AND NEVER BE LET OUT1

  • Alex Newell

    I always change admin on installation simply coz it’s so boring – it’s good to get these security fixes tho’ and will go looking for the plugin mentioned

  • Mr. I

    @ V.C.

    Use WP Optimize plugin to change username of admin. It works!

  • V.C

    I’ve tried to delete the admin user but it’s impossible.
    It’s default so I can’t delete normally.
    Any other idea?

  • Daniel Scocco

    @Keith, good point. I guess it is recommended to remove the author links as well then.

  • Blog Ebooks – Claus D Jensen

    Did that resently on my blog.

    It’s good advice!

    Claus D jensen 😀

  • Anna

    that issue has actually been bothering me for quite some time, or at least since I installed wordpress all those many weeks ago! thank you for your daily blog tips, keep them coming! xxx

  • Akhilan

    What if you have placed .htaccess file denying access to others for wp-admin?

  • S.K Sharma

    Hi Daniel,
    Thanks a lot for this tip.I was looking the method for this job.

  • Mr. I

    I use another easy method. Using WP-Optimize plugin, I just change admin username to something else!

  • Jeremy

    Confirm with Keith above — author permalinks reveal your username. Even though Kubrick doesn’t user author permalinks (as far as I can recall, at least), it still prints it in a HTML comment, e.g. <!– by Jeremy –> in the .postmetadata box.

  • Mark McLaren

    By default, WordPress displays your username as the author name below post titles or at the end of your posts, but this is easy to change.

    In the Dashboard, under Users > Your Profile in the Name section, use the dropdown menu next to “Display name publicly as” to select one of the options that is not your username.

    Be sure to click the Update Profile button to save the change.

  • Thorsten Roemer

    I would suggest to use a htaccess protection for the admin folder. In that case an intruder would need four words:
    – user of htaccess protection
    – password for htaccess
    – wordpress admin
    – password for wordpress admin

    That should be safe.

  • Keith Dsouza

    This is helpful however people can still find out the user names from the author links that many blog users have on their blog, so another good thing would be not sharing the author link.

    That said having a good password goes a very long way in thwarting attacks, you should use a mix of lower case, upper case, numbers and special characters, those passwords are almost unguessable.

  • Arun Basil Lal

    Recently, I had a guest post on the same thing. Here are two more ways to change the default user name ‘admin’ –

Comments are closed.