WordPress Security Tip: Remove the Admin User
By default WordPress will name the administrator user account as “admin.” If you haven’t changed anything while installing WordPress, that is probably what you use to log in.
The problem with this is evident: if someone wanted to gain access to your blog, all he would need to do is to keep using the “admin” user name with a bunch of passwords combinations. This is called brute force attack, and with automated tools it works quite often.
Whenever installing WordPress from scratch, therefore, remember to use some other name for the administrator user account. If you already have WordPress installed, the fix is quite simple. Just create a new user and set it as administrator. Then log in with that new user and delete the “admin” user. Don’t worry if you have many posts written by that user, WordPress will ask whether you want to delete them or re-assign them to a new user (choose the latter obviously).
As for choosing the new user name, make sure that it is not similar to the name you display publicly on your blog. If you sign your posts as John Doe, for instance, naming the administrator user as “john” or “johndoe” wouldn’t help. You need something that others won’t be able to guess easily.
36 Responses to “WordPress Security Tip: Remove the Admin User”
Hi Daniel. I am in the early stages of starting-up my business and I was researching how to change my admin username when I came across your post in a Google search. I had the same problem as someone above, I was logging in with the Admin username. After reading your info I was able to do it no problem. Thanks a bunch!
You can also change username by using PHPMyAdmin
Thanks so much for this info. I knew you were supposed to delete the default admin, but I didn’t know how. The trick I was missing was to log in with the new user account to delete it.
There’s not much on the web touching this topic but I believe this is one of the most simplest things an administrator can do to “Bullet Proof” to an extent there WordPress Wesbite.
Adding on to @ Arun Basil Lal with the article, technique # 3 is not explained as detailed as an article I just posted over on
Which specifically talks about this method.
Great article, always love the security articles!
FYI, if you embed content in a post, the code will disappear if you post as “author” rather than administrator (using latest update of WP). Followed this advice earlier today and made my posting name an author instead of administrator and spent way too long trying to figure out what was wrong with the embeds I was including in a post before remembering that change.
I always remove it.
Not only for security reasons but for user interaction as well.
IMO, ‘admin’ sounds way too serious.
Comments are closed.