The default WordPress username “admin” has been a security weakness for years. Increases in attacks on sites using admin as the username make changing the username mandatory for maintaining security. The plan of attack is simple: find WordPress sites using the default “admin” username and gain access by trying multiple passwords. Once in the front door, they inject a backdoor and create malware on site.
You don’t have to be a technical wizard to change your WordPress admin username. Here is how to do it and improve your WordPress site security in in the time takes to drink a cup of coffee without complex database changes or plugins. Watch the video or follow the instructions below:
Before you begin complete these simple steps and record the info for future use:
Selecting a New WordPress Admin Username and Password
Select Your new user name
Your username should be unique to you.
Attackers know these users names, so do not use any of these:
[wpcol_1quarter id=”” class=”” style=”color: #ff0000;”]admin or Admin
admin1
adm
[/wpcol_1quarter] [wpcol_1quarter id=”” class=”” style=”color: #ff0000;”]aaa
sysadmin
administrator
[/wpcol_1quarter] [wpcol_1quarter id=”” class=”” style=”color: #ff0000;”]user
test
qwerty
[/wpcol_1quarter] [wpcol_1quarter_end id=”” class=”” style=”color: #ff0000;”]manager
root
support
[/wpcol_1quarter_end]
Choose a New Password
2016: Upgrade your password to a passphrase. A passphrase is minimum of 16 characters. It can contain dictionary words and even be all lowercase letters according to Anthony T article author and founder of the online magazine UX Movement. Add complexity to your passphrase by adding a capital letter and a number. His example: design2Code4coffee.
Why Passphrases Are More User-Friendly Than Passwords – Smashing Magazine
The old advice of selecting a password that is at least eight characters long, uses a combination of upper case and lower case letters, numbers and symbols is not as good a bet as using a passphrase or a password generated by a password manager. Look to this article from WordPress.com Support for guidelines in selecting a strong WordPress password: Selecting a Strong Password
Two More Important “Pre-flight” Steps
Have a Second Email Address Ready
You will need another email address as no two users can have the same email address. It doesn’t have to be a “real” email address.
Backing Up Your Site is Recommended
This is always good practice when making changes or updates to your WordPress site. Contact your hosting provider if you need help with that.
Change Your WordPress Username and Password
- Login into WordPress
- In the Dashboard menu go to Users and select Add New.
- Fill out the add new user form.
- Use the second email address you have selected. You can change it later.WordPress will verify the strength of your new password as strong if it meets the requirements.
- Select Administrator as the Role. This is important as you will need that level of access to delete the Admin user.
- Click Add New User.
- Logout of your site and login using your new user name and password.
- Select Users.
- Hover over the Admin row and click on the Delete link.
- STOP BEFORE YOU PUSH THAT DELETE BUTTON! Select Attribute all posts and links to your new username. Failing to do so will delete all your posts.
- Click Confirm Deletion
- Open your new user account and change the email address to the original.
There you have it in the time it takes to drink a cup of coffee; you have changed your username and increased your site’s security. If you want help doing this call Artizon Digital. Need to get started with a WordPress website? Artizon Digital can get you going on that too.
Sue Surdam | Artizon Digital | WordPress Specialist and Social Media Solutions | 503-577-1035
This is a great article and I’ve often wondered if my own username for my website is secure enough. If I was a gamer I’d change it to something really cool like Hoax Slayer col. Can you extrapolate on your point that the second email address doesn’t have to be a “real” address? I’m not sure exactly what to do.
Thanks, Sue and Artizon Digital!
Thanks for your kind words and I like your username idea very cool!
A fake email address means just makeup one, like me@mymadeupemail.com. You just need to have something to fill in the email address of your new user, WordPress doesn’t care if it is a working address. You will be replacing it with your real email address after you have deleted the “admin” user.
Hi, very good Article.
Thanks for sharing with us
You’re welcome. Took a quick visit to your website site and found lots of useful articles there.