WordPress security quick tips - change the default WordPress admin username

February 14, 2021
Steve Turnbull
<< back to resources
WordPress security tip: Change your default Admin password

Over time, this post has become very popular. So I have updated it to bring it up to date and press home the point of the importance of using a secure, unique username for your WordPress website, and get rid of the default "Admin" user that might be lingering about.

Depending on  how you installed WordPress, it's possible you have a default user called ‘Admin’. Often people stick with this because it’s easy to remember and they don’t realise the importance of changing it.

We have had people enquire with us concerned about Wordfence reporting attempted logins by a user called ‘admin’.

Why Changing the Default WordPress Admin Username is Crucial for Security?

Many WordPress users fall into the trap of using the default 'admin' username for their primary admin account. While this may seem convenient, it poses a significant security risk, especially in the face of evolving cyberattack techniques.

The Peril of Default Usernames

Brute-force attacks are a common method employed by attackers to gain unauthorised access to WordPress websites. As well as humans trying to gain access to your website, most attacks involve automated programs that relentlessly try to guess usernames and passwords. Since the "admin" username is the most widely used, it becomes a prime target for such attacks.

The Proactive Approach: Changing the Default Username

Replacing the default "admin" with a unique username significantly reduces the chances of a successful brute-force attack. This simple step adds an extra layer of complexity for attackers, making it less likely for them to crack the password and gain access to your website.

Wordfence: A Powerful Ally in the Fight Against Brute-force Attacks

We highly recommend installing the WordPress security plugin Wordfence. Not only does Wordfence help to prevent these attacks, it can be set to alert you when there are an increased number of failed login attempts, and lockout whoever is trying to log in after a predefined number of failed logins.

A report from Wordfence detailing failed login attempts

Wordfence's security arsenal extends beyond brute-force protection. It provides comprehensive malware scanning, firewall protection, and real-time threat detection, ensuring your WordPress website is safeguarded against a wide range of online threats.

And anything susp[icous, it will alert you.

How to change the default WordPress admin username

First up, I recommend creating a strong username policy. For example a unique name, followed by a dash and 4 number, e.g. fred-5748.

WordPress doesn’t allow you to change a username once it’s been created, so if your only login is the account with the username 'admin' or 'Admin' - then simply create a new user, using your new username policy.

If the original Admin user has data associated with them, e.g. blog posts that are in their name, then WordPress will prompt you to migrate this over to the new user you have created.


If you follow the guidance above, you now have a WordPress website that doesn’t have a default username that hackers can easily guess, a policy in place for creating new users should you need to and software monitoring suspicious activity.

Most importantly, you are now in charge of a website that is more secure.

Tell us what you like, we'll make it happen