Why You Should Never Have an ‘Admin’ User Account in WordPress

13th February 2015

Why You Should Never Have an ‘Admin’ User Account in WordPress

If you set up a WordPress installation with ‘admin’ as the default administrator username you’re opening up an easily exploited security hole. If your site is subjected to a brute force attack, you’re playing right into the hands of the attacker.

A brute force attack is password guessing and it’s very common. An attacker will try various combinations of usernames and passwords until they find one that works. Once they’re in they can do what they like, including compromising the site with malware.

I recently installed the Sucuri plugin on a site I knew had come under attack, and I set it up to send me an email notification every time there was a failed login attempt. In less than 24 hours I’d had 98 alerts telling me that someone had tried to get in using either ‘admin’ or ‘adm1n’ as the username.

If the site in question actually had a username called ‘admin’ then half the battle would’ve been over for the attacker. If it’d been coupled with a common password then they’d probably be in. That’s why it’s important to choose a username which has no relation to admin or the site name, and a good password. One way of doing this is to use a secure password generator.

You can also help by restricting access to the login page itself to only approved IP addresses.

Jo has been looking after my website for a couple of years now. She has just completed another refresh of the site for me, tidying up a few pages and installed a fantastic new booking system that has made a huge improvement to the functionality of the site. I’m really pleased with the result, and the website looks great. I can highly recommend Jo for all your website needs.

(Andrew Tee (Get More Adventure))