Stop Using Admin For Your WordPress Username NOW!

Table of Contents

For several years, WordPress automatically defined the initial admin username as “admin”. This meant that 99.99% of WordPress users used their admin as their login username.

It did not take long for hackers to catch onto this fact and use it to their advantage. They already knew the admin username, all they had to do now was guess the password. And with millions of people using simply generic passwords, they were able to hack into websites easily and insert their malicious code.

The only way to change your username from admin was to manually change it through your database. With so many WordPress lacking the knowledge of how to do this, their username was left as admin. Thankfully, WordPress now lets you create your own username when you install WordPress for the first time (though I have no doubt some people still choose admin!).

Around a week or so ago, I started seeing a significant increase in WordPress comment spam on this blog. I saw spam comments increase from two or three per week to hundreds per day. To combat the threat of hacking and reduce comment spam, I installed the Wordfence security plugin. It’s a great plugin that scans your directories for malicious files and makes your website much more secure.

The plugin is configured to email me whenever someone unauthorised tries to login to my website. The email details the time and date of the log in attempt, the IP address of the hacker and the username that they attempted to sign in with.

Here is an example of an email I received today:

This alert was generated by Wordfence on “Kevin Muldoon” at Monday 10th of March 2014 at 03:00:43 AM
The Wordfence administrative URL for this site is: https://www.kevinmuldoon.com/…

A user with IP address 95.10.82.186 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘admin’
User IP: 95.10.82.186
User hostname: 95.10.82.186.dynamic.ttnet.com.tr

I received a total of fifteen email alerts about unauthorised login attempts yesterday. I have always known that hackers use software to attack established websites, however I must admit that I was still a little shocked at the volume of attacks being made.

What did not shock me was that every attempt used the the username “admin”. I do not know much about hacking, but I imagine that if the possibility of hacking a website is small using generic keywords, the possibility is infinitely higher if you need to try it using random usernames too. Which is why hackers seem to be solely focusing on targeting websites who continue to use the “admin” username.

My advice to those of you who still use “admin” as your administrative username is to change it immediately. If you are not comfortable doing this directly through your database, I recommend using a plugin such as Admin renamer extended or Admin username changer. I also recommend installing Wordfence to help make your website more secure. You can also install it temporarily if you just want an idea of how often your website is being targeted by hackers.

Good luck,
Kevin

9 thoughts on “Stop Using Admin For Your WordPress Username NOW!”

  1. You must have started using WordPress recently. For a long time, most website owners used admin as their username :)

  2. Hi Kelvin, thanks for the plugins recommendation.
    Fortunately, I’m not using “admin” anymore since day one using wordpress :)

  3. Thanks for the suggestion.

    I disable Wordfence. Kris was 100% correct – it was slowing down my website considerably. My page is around 0.6-0.8 seconds quicker since disabling it.

    I’ll use simple firewall for a few days and see how I get on. I can test Kris’s suggestion of Login Security Solution on another website to see how that performs.

  4. Hi Keith,

    Yes that’s a very good point. I am surprised that spammers do not check the author URL’s and try passwords for the usernames they find. Hopefully no hacker reads that as I believe it would work.

    I’m using Login Lockdown, but I am not 100% sure that the plugin stops automated attacks.

    Kevin

  5. Hi Kevin
    The only problem is that whatever username you use, if you click on the author’s name at the top of the post, you can see the author’s username in the URL.

    So if I click on your name I’m taken to the URL…
    http://kevin-muldoon.b.wetopi.com/author/KevinMuldoon/

    So is your username KevinMuldoon?

    I go for a good strong password and a login limiter plugin.

    BTW – good to see the subscribe to comments plugin.

  6. Yeah I need to test the speed of my website with it activated and then deactivated. I also installed it as I found a malicious file in my cache. I use another login prevention plugin but it doesn’t seem to be as good as the one Wordfence has.

    150 login attempts per hour is crazy. Glad you got on top of it quickly.

  7. Check your site speed after installing Wonderfence, I use it once per week and then remove, because it caused huge site load. To prevent dashboard attacks I use Login Security Solution. Helped a lot few months back as I had the same problem as you, but with around 150 login attempts per hour (so site was many times down).
    The good thing will be an option in WordPress that will let us use other name than administrator login in author slug. I know it can be done by registering new user with lower capabilities, but it very inconvenient.

Leave a comment

Share This