Protect your website by hardening your WordPress: Admin User

As I mentioned in a previous post about hardening WordPress with better passwords, I am a big fan of WordPress and it’s popularity shows just how great this content management system is. But with it’s popularity has come a price: it’s routinely attacked by automated bots looking for a weakness.

One default potential vulnerability is the admin username. By default WordPress offers to create the first user with the username ‘admin’. This is a great suggestion, easy to remember and with the much vaunted WordPress 5 minute install, you probably wouldn’t give this a passing thought.

However, this one account has the highest level of permissions on your site. With so many sites using the same default username for their most powerful WordPress account, it’s an obvious target for hackers.

For years, I’ve been using a plugin to limit failed login attempts on my WordPress blogs. A feature of this plugin is to email me a notification of lockouts and what username was attempted. I cannot remember a single time that the attempted login was anything besides ‘admin’. The automated attacks always used ‘admin’ against any and all of my sites to try to guess the password. Everyday I get notices of attacks on most of my maintained WordPress sites. Every day it’s the same account name: admin.

A blog post on blog.securi.net confirms my experience:

On all the requests we logged, they only tried to guess the password for the user “admin”.

The good news is you can foil, probably, upwards of 90% of automated attacks by just renaming your admin account username. Here is why…

Since the vast majority of attacks are just automated attacks testing passwords against the admin user, by simply not having a user named ‘admin’ you will defeat the entire attack vector. All of these attacks will fail because there is NO admin user. Or more importantly, by simply having an admin username, you are unnecessarily leaving your site vulnerable by making it possible to just attempt passwords against that username until the password is discovered. And why would you allow that to happen if you can prevent it?

How do you rename your admin account?
If you are creating a new site, simply rename the admin account when you are creating the site.

WordPress install step 5, change admin username

WordPress install step 5, change admin username

But, what if you already have a site and you have the default admin user? You probably noticed that you cannot change the username for the admin account through the users screen. I don’t know why WordPress does this; there is probably a reason. But you could use a plugin to rename your admin account.

Consider using a plugin like Better WP Security. It has many additional security features, including allowing you to rename your admin user. Or you could use a plugin which is only for renaming users, such as Admin renamer extended; sometimes the simplest approach is the best.

For more information about securing your WordPress site, read my previous post about protecting your website by hardening your WordPress with hard passwords.

More information:

About Eric Holsinger

Eric Holsinger has broad background in web and mobile application development. He founded Whirlidoo, LLC in 2010 to create custom mobile applications and better websites.
This entry was posted in Blog and tagged , , , , , , . Bookmark the permalink.