Renaming the WordPress
admin username is a great first step towards securing new, or existing WordPress sites and I’m going to layout clearly what exactly is involved so you can get it done without hassle.
WordPress security has many different facets associated with it and in this series of posts I’m going address many of them with simple, straight-to-the-point, tips and tricks to get you started.
In this post, I’ll address the WordPress security problem of usernames. You’ll learn:
- what you need to know about WordPress usernames and security
- what you need to do about your WordPress usernames
- how you can make these necessary security changes
Let’s get to it then.
What are the security concerns pertaining to WordPress usernames?
WordPress is normally installed with a single administrative user. By default, this username is
What does this mean?
It means that nearly 100% of the WordPress websites out there in the whole wide world all have the administrator username
Why is this a security issue?
Because if I’m going to try and hack a WordPress site and gain administrative access I’ll want to know an existing administrative username. If nearly 100% of all WordPress sites have the username
admin, I’m going to try it first and massively increase the chances of my hacking attempts being successful.
What do I need to do to avoid being susceptible to this WordPress security issue?
This is one of the easiest WordPress security practices you can do on all your sites. So..
What do I need to do?
You need to remove the
admin username from your WordPress site.
When do I need to do this?
You should do it today. This is best done on a brand new site, but you can do it at any time.
What will I use for a WordPress administrator user then?
Before removing the username, you’ll create a special, new WordPress administrative user on your WordPress site. Going forward you’ll use this new username to login as administrator.
What do I need to be aware of in making this WordPress security change?
Depending on how you’ve created your WordPress site, your existing pages and posts may be owned by that
admin user. If you delete that
admin user you could potentially delete all that content too.
To avoid this being a problem, when you delete a WordPress user, WordPress will ask you do you want to re-assign all this content to another existing user. That’s why you create a new administrator user first.
How do I make the necessary WordPress security changes for the
Many people will refer to “renaming” the
admin user. In fact, what you’re actually doing is replacing it altogether with a new one.
Below is an outline to the steps to do this.
- Ensure you have a recent, valid backup of your WordPress site (just in case!)
- Log into your WordPress site as the
- Create a new WordPress user. Make sure the username is not really simple like
admin123… you’re trying to avoid things like this. For example you could choose:
mylovelyadmin– not recommended because having the text ‘admin’ in there indicates it’s an administrator user
- Log out of your WordPress admin.
- Log into your WordPress admin again but using your newly created username from step 3
- Go to the WordPress ‘Users’ section
- Click to ‘delete’ the user with username
admin(don’t worry, you’ll be asked to confirm this step)
- Select the option to “Attribute all content to…” and make sure to select the new admin username you’ve just created and logged-in as.
- Click ‘Confirm Deletion’
How can I be sure that this worked?
Log out of your WordPress admin and try to log in again under your old
admin username. If you were not able to login successfully, then you won a great victory, and your site is now protected against large-scale intrusion attempts that require the existence of the
If you were still able to login as
admin then you need to go back and revisit what you actually did – try not to do this while drunk or high.
That was easy, so what’s next?
There are more guides and how-tos just like that to come.
If you have any comments or suggestions, please feel free to leave them below.