WordPress Security Tip: Remove the Admin User

By Daniel Scocco

By default WordPress will name the administrator user account as “admin.” If you haven’t changed anything while installing WordPress, that is probably what you use to log in.

The problem with this is evident: if someone wanted to gain access to your blog, all he would need to do is to keep using the “admin” user name with a bunch of passwords combinations. This is called brute force attack, and with automated tools it works quite often.

Whenever installing WordPress from scratch, therefore, remember to use some other name for the administrator user account. If you already have WordPress installed, the fix is quite simple. Just create a new user and set it as administrator. Then log in with that new user and delete the “admin” user. Don’t worry if you have many posts written by that user, WordPress will ask whether you want to delete them or re-assign them to a new user (choose the latter obviously).

As for choosing the new user name, make sure that it is not similar to the name you display publicly on your blog. If you sign your posts as John Doe, for instance, naming the administrator user as “john” or “johndoe” wouldn’t help. You need something that others won’t be able to guess easily.



Related Articles

Please install the YARPP plugin

Share

36 Responses to “WordPress Security Tip: Remove the Admin User”

  • Devan

    Hi Daniel. I am in the early stages of starting-up my business and I was researching how to change my admin username when I came across your post in a Google search. I had the same problem as someone above, I was logging in with the Admin username. After reading your info I was able to do it no problem. Thanks a bunch!

  • Vivek Parmar

    You can also change username by using PHPMyAdmin

  • Leslie Nicole

    Thanks so much for this info. I knew you were supposed to delete the default admin, but I didn’t know how. The trick I was missing was to log in with the new user account to delete it.

  • Giancarlo Colfer

    There’s not much on the web touching this topic but I believe this is one of the most simplest things an administrator can do to “Bullet Proof” to an extent there WordPress Wesbite.

    Adding on to @ Arun Basil Lal with the article, technique # 3 is not explained as detailed as an article I just posted over on

    http://www.bakermedia.com/forum/showthread.php?p=1061872#post1061872

    Which specifically talks about this method.

    Great article, always love the security articles!

  • Melissa Wade

    FYI, if you embed content in a post, the code will disappear if you post as “author” rather than administrator (using latest update of WP). Followed this advice earlier today and made my posting name an author instead of administrator and spent way too long trying to figure out what was wrong with the embeds I was including in a post before remembering that change.

  • vegas

    I always remove it.

    Not only for security reasons but for user interaction as well.

    IMO, ‘admin’ sounds way too serious.

Comments are closed.