Why You Should Never Have an ‘Admin’ User Account in WordPress

13th February 2015

If you set up a WordPress installation with ‘admin’ as the default administrator username you’re opening up an easily exploited security hole. If your site is subjected to a brute force attack, you’re playing right into the hands of the attacker.

A brute force attack is password guessing and it’s very common. An attacker will try various combinations of usernames and passwords until they find one that works. Once they’re in they can do what they like, including compromising the site with malware.

I recently installed the Sucuri plugin on a site I knew had come under attack, and I set it up to send me an email notification every time there was a failed login attempt. In less than 24 hours I’d had 98 alerts telling me that someone had tried to get in using either ‘admin’ or ‘adm1n’ as the username.

If the site in question actually had a username called ‘admin’ then half the battle would’ve been over for the attacker. If it’d been coupled with a common password then they’d probably be in. That’s why it’s important to choose a username which has no relation to admin or the site name, and a good password. One way of doing this is to use a secure password generator.

You can also help by restricting access to the login page itself to only approved IP addresses.

NB: Because this post is more than two years old, and the world of web design and technology moves on so quickly, the information in it may now be out of date


Leave a Reply

I knew the moment I spoke to Jo that she was the right person to transfer our website over to a content management system.  We were looking for someone who combined a really good technical knowledge of WordPress with a keen eye for design, and Jo provided just that.  She was fast, thorough and incredibly straightforward in her approach and nothing was too much trouble.  The training Jo delivered as part of the job was clear and thorough too.  Thank you, Jo, for a fantastic job!

Tessa Lamb (Business Language Training)