In this, the first in series of WordPress security quick tips, we discuss why you should change the default WordPress admin username.
Depending on how you installed WordPress, the chances are you have a default user called ‘Admin’. Often people stick with this because it’s easy to remember and they don’t realise the importance of changing it.
One of my customers contacted me recently asking why Wordfence was reporting attempted logins by a user called ‘admin’. It was quite disconcerting for her, but I was able to reassure her this was normal and that’s why I provided her a username she doesn’t like!
Why is changing the admin username important?
In short, it adds a layer of defence against brute force attacks. These are login attempts by attackers on the internet. The attackers could be human or machine. A computer sees a WordPress website and makes an assumption that if it adds /wp-admin onto the end of the address, a login prompt will appear.
The next steps are to guess username and password, and then the attacker is in!
Because the attacker knows most people don’t alter the ‘admin’ username, that’s what they try. It’s then a simple matter of guessing the password.
I’ll create another quick-tip soon about passwords, but all too often people use easy-to-guess passwords.
How does WordPress handle these attacks?
I highly recommend installing the plugin Wordfence.
Security plugins like Wordfence monitor and help protect you against this kind of attack and you can limit the amount of failed login attempts your website is prepared to accept before it locks the site for a period of time.
If you use Jetpack, it has a similar functionality that you can enable.
How to change the default WordPress admin username
WordPress doesn’t allow you to change a username once it’s been created.
To change the username you actually need to create a new user and delete the old one, being careful not to lose data!
I recommend creating a username policy. For example all users will be structures as [name]_[5 alphanumeric characters]. This might result in a username such as fred_E3ifC
OK, it doesn’t look nice, but it’s unlikely to be guessed.
You are logged in as Admin. Create a new user with admin privileges, in our example fred_E3ifC. You can give this user a real name, even if it’s the same name as the current admin, but you can never change the username.
Log out of WordPress and log in again, this time as fred_E3ifC.
Delete the old user (admin). You will be prompted to claim any posts or other articles ‘admin’ created. Make sure you do this as otherwise posts might get lost or corrupted somehow.
You now have a WordPress website that doesn’t have a default username that hackers can easily guess.
As well as this, you have a policy in place for creating new users should you need to.
Most importantly, you are now in charge of a website that is more secure. Enjoy :)