Why You Should Never Have an ‘Admin’ User Account in WordPress

13th February 2015

If you set up a WordPress installation with ‘admin’ as the default administrator username you’re opening up an easily exploited security hole. If your site is subjected to a brute force attack, you’re playing right into the hands of the attacker.

A brute force attack is password guessing and it’s very common. An attacker will try various combinations of usernames and passwords until they find one that works. Once they’re in they can do what they like, including compromising the site with malware.

I recently installed the Sucuri plugin on a site I knew had come under attack, and I set it up to send me an email notification every time there was a failed login attempt. In less than 24 hours I’d had 98 alerts telling me that someone had tried to get in using either ‘admin’ or ‘adm1n’ as the username.

If the site in question actually had a username called ‘admin’ then half the battle would’ve been over for the attacker. If it’d been coupled with a common password then they’d probably be in. That’s why it’s important to choose a username which has no relation to admin or the site name, and a good password. One way of doing this is to use a secure password generator.

You can also help by restricting access to the login page itself to only approved IP addresses.

As a freelance musician and teacher my website is very important for generating business and maintaining good contact with my clients. I have found Jo Cox Design very useful to help maintain elements of my site which are more complex. I like to have control of my site but I often find there are things I cannot achieve on my own. I would certainly recommend Jo as a friendly person who’s easy to work with and who can help you achieve such goals.

(Trev Williams)