In light of the recent WordPress mass-scale hack by a giant botnet, I had a question from someone recently wondering about the username “admin.” I thought it would be very useful to many to explain why you DON’T want to use “admin” as your username, ever, in WordPress.
The problem with the username “admin” is that it is a WordPress default, so it is super easy to guess. Actually it’s not a ‘guess’ – many people just fail to change to this, so it’s an obvious starting point for a hacker. If you login to your site using “admin” then your username is admin. Or if you login using something else, and under “Users” in your WordPress dashboard, there is a user named “admin,” you have a problem. You should delete this user as long as you have another “Administrator” user set up already and know the username and password for it.
How to get rid of the “admin” user in WordPress?
The way to change this easily is to go to “Users” > “Add New” in your WordPress dashboard. Set up a new username (I like to use strongpasswordgenerator.com even for forming my usernames, but that might be overkill) and password. Do not use any legible or readable words in your password. In fact, to be safe, just generate a password at strongpasswordgenerator.com. Where it asks you what ‘role’ this user should have, set it to “administrator.”
Note: you will need a different e-mail address than the one used for “admin” to set up a new user. For some reason WordPress doesn’t always save the password for a user the first time you click on “Create user” so you’ll have to go in to that user’s profile after you’ve created it and insert the password twice again, then hit save.
Once you have created the new user, you can delete the “Admin” user under “Users” in your WordPress dashboard.
Why WordPress requires security measures:
Since WordPress is an open source software, it makes it really easy for hackers to find vulnerabilities in the system. This is why upgrading to the latest version of WordPress is also really important. I attended a security talk at WordCamp Seattle last year and was told there is never an excuse not to upgrade. WordPress is built in a way that it can upgrade its ‘core’ without affecting the parts of your site you have changed or added content to. But with themes this is a bit different – this is why you’d want to set up a Parent and Child theme, instead of having everything in just one folder. In either case, you always need to do a backup before you upgrade anything.
Using Better WP Security Plugin:
If you install Better WP Security plugin it has a bunch of options to allow you to protect your site from attacks. One of them is getting rid of the username “admin” and also changing the user ID of 1, among other things.
One thing I noticed and had a really hard time with (took forever to figure this out), is that if you turn on “Intrusion Detection” in Better WP Security it can prevent the Google bot from crawling your site, and your pages will stop being indexed, followed by a bunch of errors in Webmaster tools. I also have stopped using “Ban users” because it makes the .htaccess file too large and it takes longer to load the site.
ALWAYS have a WordPress tailored backup system in place:
That all aside, you should probably also have a backup system in place. I require all my clients to have either VaultPress or BackupBuddy before I launch their site for them. Some hosts have a daily backup and restore system built in, like WP Engine. That way if your site is hacked, you can revert to a backup copy. VaultPress is a lot more “dummy proof” than BackupBuddy, but BackupBuddy can be cheaper – but both work fine.
If you’d like to learn more about WordPress security, there are TONS of blog posts on it but also at WordCamps they talk about this: http://wordpress.tv/?s=