WordPress Security Tip: Remove the Admin User

By Daniel Scocco

By default WordPress will name the administrator user account as “admin.” If you haven’t changed anything while installing WordPress, that is probably what you use to log in.

The problem with this is evident: if someone wanted to gain access to your blog, all he would need to do is to keep using the “admin” user name with a bunch of passwords combinations. This is called brute force attack, and with automated tools it works quite often.

Whenever installing WordPress from scratch, therefore, remember to use some other name for the administrator user account. If you already have WordPress installed, the fix is quite simple. Just create a new user and set it as administrator. Then log in with that new user and delete the “admin” user. Don’t worry if you have many posts written by that user, WordPress will ask whether you want to delete them or re-assign them to a new user (choose the latter obviously).

As for choosing the new user name, make sure that it is not similar to the name you display publicly on your blog. If you sign your posts as John Doe, for instance, naming the administrator user as “john” or “johndoe” wouldn’t help. You need something that others won’t be able to guess easily.

Monetize Your Site




Share

36 Responses to “WordPress Security Tip: Remove the Admin User”

  • Arun Basil Lal

    Recently, I had a guest post on the same thing. Here are two more ways to change the default user name ‘admin’ –

    http://www.millionclues.com/guest-posts/change-wordpress-default-username-3-ways

  • Keith Dsouza

    This is helpful however people can still find out the user names from the author links that many blog users have on their blog, so another good thing would be not sharing the author link.

    That said having a good password goes a very long way in thwarting attacks, you should use a mix of lower case, upper case, numbers and special characters, those passwords are almost unguessable.

  • Thorsten Roemer

    I would suggest to use a htaccess protection for the admin folder. In that case an intruder would need four words:
    – user of htaccess protection
    – password for htaccess
    – wordpress admin
    – password for wordpress admin

    That should be safe.

  • Mark McLaren

    By default, WordPress displays your username as the author name below post titles or at the end of your posts, but this is easy to change.

    In the Dashboard, under Users > Your Profile in the Name section, use the dropdown menu next to “Display name publicly as” to select one of the options that is not your username.

    Be sure to click the Update Profile button to save the change.

  • Jeremy

    Confirm with Keith above — author permalinks reveal your username. Even though Kubrick doesn’t user author permalinks (as far as I can recall, at least), it still prints it in a HTML comment, e.g. <!– by Jeremy –> in the .postmetadata box.

  • Mr. I

    I use another easy method. Using WP-Optimize plugin, I just change admin username to something else!

  • S.K Sharma

    Hi Daniel,
    Thanks a lot for this tip.I was looking the method for this job.

  • Akhilan

    What if you have placed .htaccess file denying access to others for wp-admin?

  • Anna

    that issue has actually been bothering me for quite some time, or at least since I installed wordpress all those many weeks ago! thank you for your daily blog tips, keep them coming! xxx

  • Blog Ebooks – Claus D Jensen

    Did that resently on my blog.

    It’s good advice!

    Greetings,
    Claus D jensen 😀

  • Daniel Scocco

    @Keith, good point. I guess it is recommended to remove the author links as well then.

  • V.C

    I’ve tried to delete the admin user but it’s impossible.
    It’s default so I can’t delete normally.
    Any other idea?

  • Mr. I

    @ V.C.

    Use WP Optimize plugin to change username of admin. It works!

  • Alex Newell

    I always change admin on installation simply coz it’s so boring – it’s good to get these security fixes tho’ and will go looking for the plugin mentioned

  • Naomi Hamm

    I find WordPress, Live Journal as well as Google and @gmail the hardest sources and I still can’t figure it out. google seemes to not really want a free email customer so therefore goes out of their way to make it nigh to impossible as does the others to get into and stay with them. I find it weird also that some places have stated my email is not valid even though that’s not true. The government can and won’t do anything about the scammers, hackers and worse and i find it bad for those of us who try to stay above the law when the laws do not protect us at all. How can you even call it law? Thanks, I think also people should have a s many different emails as they possibly can, because these third-parties and others need to get a JOB or JUST GO TO JAIL AND NEVER BE LET OUT1

  • Y5CaFe

    Thanks Daniel so much.

  • Kathy Pop

    One of the first things I do is to change my “nickname”, so the posts show my nickname and not my username. But good advice for deleting the admin username- think that I will do that too!

    Last Fall all 14 of my blogs were hacked. I think they all had a common file that was vulnerable since they had different passwords. It was a bit unnerving when I found that they ALL had been hacked- My main concern at that point was did they just attack my blogs or did they get into my C-Panel. I’ve never felt so vulnerable- like someone had broken into my home.

    Fortunately (kinda sorta) they only hacked into my blogs and not my C-Panel.

    thanks for the tip,
    Kathy Pop

  • Chester

    Hey! Thanks for sharing this! I’d forward this link to all my wordpress friends who’s experiencing the same problem.

  • Josh H

    Great article. You can never to safe with your blog. Will use

  • George Serradinho

    This is an important thing to do and it helps to make it as hard as possible for others to guess. This one of the first things I changed when I installed WP.

  • Tom Bradshaw

    Good point, I always delete the Admin user then create a new one then a new author. Use a proper password, don’t use ‘password’!

  • Joshua Elliot

    That is a great way to stop hackers from hacking your blog.

    Thanks.

  • Lex G

    It’s one of the oldest tricks in the book … and it’s still one of the most effective …

    Lex

  • Nikhil

    Thanks for the tip….

    I have removed it since I started blogging.

    Don’t know…. but I never like to put it on the blog.

  • MJ Ces

    I didn’t realize such an attack is possible on so obvious an entry point. Now I’ll keep in mind to stop using ‘admin’ whenever I start another blog.

    One blog of mine was attacked a few months ago. The hacker did nothing really disastrous aside from just changing the name of the blog and also the theme.

    Thanks for this post. This has been very enlightening.

  • ATP

    But isn’t there some wordpress plugins that can defend your site against brute force?
    With my starting blog, I installed a plugin called bad behavior, which (claims) to protect the blog against brute force and other forms of assault on my site.
    Why do I have to delete my (most prized) administrator account?

  • Naomi Hamm

    You are right. You shouldn’t have to constantly change those things, especially if you are on a lot of blog sites and making a lot of comment s on different online sites. The government needs to do something permenant about these issues. Bye for now and thanks for letting me know of these things. They are of a great help and we need them to help us out and realize the options we all have.

  • Blogoof

    Oh good luck,I’m using a separate username.This post will be very useful for new bloggers.Thanx.

  • Nathans

    Be careful when you remove the user, it removed the content posted by the admin user too. I lost all my content from my website.. also could not restore it as I forget to backup.

  • Boerne Search

    Yes, i always remove the admin user. 😉

    Kane

  • vegas

    I always remove it.

    Not only for security reasons but for user interaction as well.

    IMO, ‘admin’ sounds way too serious.

  • Melissa Wade

    FYI, if you embed content in a post, the code will disappear if you post as “author” rather than administrator (using latest update of WP). Followed this advice earlier today and made my posting name an author instead of administrator and spent way too long trying to figure out what was wrong with the embeds I was including in a post before remembering that change.

  • Giancarlo Colfer

    There’s not much on the web touching this topic but I believe this is one of the most simplest things an administrator can do to “Bullet Proof” to an extent there WordPress Wesbite.

    Adding on to @ Arun Basil Lal with the article, technique # 3 is not explained as detailed as an article I just posted over on

    http://www.bakermedia.com/forum/showthread.php?p=1061872#post1061872

    Which specifically talks about this method.

    Great article, always love the security articles!

  • Leslie Nicole

    Thanks so much for this info. I knew you were supposed to delete the default admin, but I didn’t know how. The trick I was missing was to log in with the new user account to delete it.

  • Vivek Parmar

    You can also change username by using PHPMyAdmin

  • Devan

    Hi Daniel. I am in the early stages of starting-up my business and I was researching how to change my admin username when I came across your post in a Google search. I had the same problem as someone above, I was logging in with the Admin username. After reading your info I was able to do it no problem. Thanks a bunch!

Comments are closed.