WordPress “Admin” Username Security Risk

Thrive Creative Group - Tips on how to protect your WordPress website.Your website maybe under attack by brute force hackers!

The primary target  of these attacks are WordPress websites that use the username “admin” and other common variations of this username, such as: “test”, “Administrator”, and so on. You can easily protect your site by ensuring that the “admin” username is not in use on your WordPress website, and ensuring that the usernames you do have currently in use have strong passwords. Please check out our setups below on how to remove this username and how to protect your site.

What’s the BIG DEAL about the admin username? By default WordPress will tell you to setup an account when you setup WordPress. By default “admin” is the username suggested by WordPress for this account. What this means is that “admin” is the most common username across all WordPress sites on the web. So, if a hacker wants to get into your site, the first username he/she will try, is the admin username.

What is a “Brute Force” attack? A brute force attack is when a hacker goes into your site and tries every password under the sun. The first username the will try is the admin username. So if you get rid of the admin username, it will be more difficult for hackers to target your website.


How to get rid of the “admin” username.

  1. Login to your WordPress site.
  2. From the WordPress dashboard, select Users
  3. Click on the Admin account that you have setup, and check out the email address that you have set for this account. Change this to something different, something that you have access to, but not necessarily something you want this account associate with. (Don’t worry we will be removing this account later.)
  4. The next step is to create a new user: User > Add New
  5. Set a more detailed username and enter an email address that you want linked to the account (can’t be the same as step 3, which is why we changed it!).
  6. Set a STRONG password. We highly suggest the use of a password generator, like one of these:
    Cloudwards Password Generator Tool »
    Strong Password Generator »
    The Best VPN’s Password Generator »
  7. Set the role to administrator” and click the Add New button!
  8. Log out and Log back in with your new account.
  9. Navigate to Users > All Users. Find the admin account, and click delete but be sure to attribute all original posts and content to the new user you just created.

Steps Thrive takes to ensure your protection for your WordPress website:

  1. We don’t use the “admin” username for our clients custom WordPress websites.
  2. We use strong passwords. Our passwords contain a combination of uppercase letters, lowercase letters, numbers, and punctuation marks.
  3. We establish a Login Lockdown, that only allows for 3-5 failed login attempts before the site disables the login area for 60 min.
  4. We setup an annoying CAPTCHA that requires you to solve a simple math problem in order to login. This math problem contains spelled out numbers as words and numerical numbers, which makes it way more complex to prevent robots from a brute force attack.

All of these make it much more difficult and challenging for a hacker to break in to your site. While we do the best we can to ensure your protection, the best way to protect your site is to have a strong password! Please change your password today and make your website strong! We are always just a phone call, tweet, text, or email away! Telephone (931) 221-4991, @thrivecreative or our contact form here »

Posted In: Marketing Tips