By default WordPress will name the administrator user account as “admin.” If you haven’t changed anything while installing WordPress, that is probably what you use to log in.
The problem with this is evident: if someone wanted to gain access to your blog, all he would need to do is to keep using the “admin” user name with a bunch of passwords combinations. This is called brute force attack, and with automated tools it works quite often.
Whenever installing WordPress from scratch, therefore, remember to use some other name for the administrator user account. If you already have WordPress installed, the fix is quite simple. Just create a new user and set it as administrator. Then log in with that new user and delete the “admin” user. Don’t worry if you have many posts written by that user, WordPress will ask whether you want to delete them or re-assign them to a new user (choose the latter obviously).
As for choosing the new user name, make sure that it is not similar to the name you display publicly on your blog. If you sign your posts as John Doe, for instance, naming the administrator user as “john” or “johndoe” wouldn’t help. You need something that others won’t be able to guess easily.
About Daniel
Daniel Scocco is a programmer and entrepreneur located in São Paulo, Brazil. His first company, Online Profits, builds and manages websites in different niches. His second company, Kubic, specializes in developing mobile apps for the iOS and Android platforms.
Hi Daniel. I am in the early stages of starting-up my business and I was researching how to change my admin username when I came across your post in a Google search. I had the same problem as someone above, I was logging in with the Admin username. After reading your info I was able to do it no problem. Thanks a bunch!
You can also change username by using PHPMyAdmin
Thanks so much for this info. I knew you were supposed to delete the default admin, but I didn’t know how. The trick I was missing was to log in with the new user account to delete it.
There’s not much on the web touching this topic but I believe this is one of the most simplest things an administrator can do to “Bullet Proof” to an extent there WordPress Wesbite.
Adding on to @ Arun Basil Lal with the article, technique # 3 is not explained as detailed as an article I just posted over on
http://www.bakermedia.com/forum/showthread.php?p=1061872#post1061872
Which specifically talks about this method.
Great article, always love the security articles!
FYI, if you embed content in a post, the code will disappear if you post as “author” rather than administrator (using latest update of WP). Followed this advice earlier today and made my posting name an author instead of administrator and spent way too long trying to figure out what was wrong with the embeds I was including in a post before remembering that change.
I always remove it.
Not only for security reasons but for user interaction as well.
IMO, ‘admin’ sounds way too serious.
Yes, i always remove the admin user. 😉
Kane
Be careful when you remove the user, it removed the content posted by the admin user too. I lost all my content from my website.. also could not restore it as I forget to backup.
Oh good luck,I’m using a separate username.This post will be very useful for new bloggers.Thanx.
You are right. You shouldn’t have to constantly change those things, especially if you are on a lot of blog sites and making a lot of comment s on different online sites. The government needs to do something permenant about these issues. Bye for now and thanks for letting me know of these things. They are of a great help and we need them to help us out and realize the options we all have.
But isn’t there some wordpress plugins that can defend your site against brute force?
With my starting blog, I installed a plugin called bad behavior, which (claims) to protect the blog against brute force and other forms of assault on my site.
Why do I have to delete my (most prized) administrator account?
I didn’t realize such an attack is possible on so obvious an entry point. Now I’ll keep in mind to stop using ‘admin’ whenever I start another blog.
One blog of mine was attacked a few months ago. The hacker did nothing really disastrous aside from just changing the name of the blog and also the theme.
Thanks for this post. This has been very enlightening.
Thanks for the tip….
I have removed it since I started blogging.
Don’t know…. but I never like to put it on the blog.
It’s one of the oldest tricks in the book … and it’s still one of the most effective …
Lex
That is a great way to stop hackers from hacking your blog.
Thanks.
Good point, I always delete the Admin user then create a new one then a new author. Use a proper password, don’t use ‘password’!
This is an important thing to do and it helps to make it as hard as possible for others to guess. This one of the first things I changed when I installed WP.
Great article. You can never to safe with your blog. Will use
Hey! Thanks for sharing this! I’d forward this link to all my wordpress friends who’s experiencing the same problem.
One of the first things I do is to change my “nickname”, so the posts show my nickname and not my username. But good advice for deleting the admin username- think that I will do that too!
Last Fall all 14 of my blogs were hacked. I think they all had a common file that was vulnerable since they had different passwords. It was a bit unnerving when I found that they ALL had been hacked- My main concern at that point was did they just attack my blogs or did they get into my C-Panel. I’ve never felt so vulnerable- like someone had broken into my home.
Fortunately (kinda sorta) they only hacked into my blogs and not my C-Panel.
thanks for the tip,
Kathy Pop
Thanks Daniel so much.
I find WordPress, Live Journal as well as Google and @gmail the hardest sources and I still can’t figure it out. google seemes to not really want a free email customer so therefore goes out of their way to make it nigh to impossible as does the others to get into and stay with them. I find it weird also that some places have stated my email is not valid even though that’s not true. The government can and won’t do anything about the scammers, hackers and worse and i find it bad for those of us who try to stay above the law when the laws do not protect us at all. How can you even call it law? Thanks, I think also people should have a s many different emails as they possibly can, because these third-parties and others need to get a JOB or JUST GO TO JAIL AND NEVER BE LET OUT1
I always change admin on installation simply coz it’s so boring – it’s good to get these security fixes tho’ and will go looking for the plugin mentioned
@ V.C.
Use WP Optimize plugin to change username of admin. It works!
I’ve tried to delete the admin user but it’s impossible.
It’s default so I can’t delete normally.
Any other idea?
@Keith, good point. I guess it is recommended to remove the author links as well then.
Did that resently on my blog.
It’s good advice!
Greetings,
Claus D jensen 😀
that issue has actually been bothering me for quite some time, or at least since I installed wordpress all those many weeks ago! thank you for your daily blog tips, keep them coming! xxx
What if you have placed .htaccess file denying access to others for wp-admin?
Hi Daniel,
Thanks a lot for this tip.I was looking the method for this job.
I use another easy method. Using WP-Optimize plugin, I just change admin username to something else!
Confirm with Keith above — author permalinks reveal your username. Even though Kubrick doesn’t user author permalinks (as far as I can recall, at least), it still prints it in a HTML comment, e.g. <!– by Jeremy –> in the .postmetadata box.
By default, WordPress displays your username as the author name below post titles or at the end of your posts, but this is easy to change.
In the Dashboard, under Users > Your Profile in the Name section, use the dropdown menu next to “Display name publicly as” to select one of the options that is not your username.
Be sure to click the Update Profile button to save the change.
I would suggest to use a htaccess protection for the admin folder. In that case an intruder would need four words:
– user of htaccess protection
– password for htaccess
– wordpress admin
– password for wordpress admin
That should be safe.
This is helpful however people can still find out the user names from the author links that many blog users have on their blog, so another good thing would be not sharing the author link.
That said having a good password goes a very long way in thwarting attacks, you should use a mix of lower case, upper case, numbers and special characters, those passwords are almost unguessable.
Recently, I had a guest post on the same thing. Here are two more ways to change the default user name ‘admin’ –