Securing the WordPress Admin User From Unauthorized Access

Securing the WordPress Admin User From Unauthorized Access

The most common hacking method is nothing sophisticated or new. It’s the attempt at guessing your username and password. Unfortunately, many users leave their username vulnerable by leaving it as the default “admin.”

In this article, we’ll go through the ways in which you can secure your administrator user account, more specifically the username. We have a separate article written that dives deeper into the password which you can read here.

First, I should note that everything outlined in this article is a low-value protection measure, which means that addressing the items outlined here will definitely help with your security. However, it is by no means the only measure you should be taking to secure your site nor something on which you should heavily rely.

That being said, let’s start with some facts:

  • Many WordPress hosts set up your brand new WordPress site with their default “admin” username
  • Most people end up keeping their admin username as “admin”
  • In brute force login attempts, “admin” is the most commonly guessed username

You can see how using or keeping the “admin” username might be problematic. It can also cause a slew of other related issues such as locking yourself out if you use a plugin that limits login attempts by username.

Create a Unique Username Other Than Admin

When you first begin setting up your WordPress site, if an “admin” user exists, you should create a new user for yourself using a unique username and then switch to that user while deleting the old “admin” user. This immediately solves the problem.

Have One Administrator Account and a Sub-Administrator Account for Yourself

Once you get rid of your “admin” username, you should ensure that there is only one Adminstrator-level account that is used to make changes to your website’s files, change themes, plugins, etc. while you create a second account to use for your daily activities like fulfilling WooCommerce order or publishing blog posts.

The reason for this is because if you use your website’s account on a daily basis, the chances are that you will find yourself logging in a lot on public networks or public spaces, thus increasing the chances of your user account getting compromised. However, if you find that the various other user roles such as “Editor” or “Contributor” are not fit for your daily needs, then consider using the User Role Editor plugin, which is highly recommended for all WordPress websites.

Another great added benefit of using the User Role Editor plugin is that you can create “Sub-Administrator” user roles and any such user roles created through the plugin can be kept from knowing any information about the global admin account.

The goal here is to make sure no one knows about the existence of your Administrator account, which brings us to the next point…

Don’t Let Anyone Find Your Admin Username

If you never use the global admin account or share it with anyone, then the chances of someone finding it are extremely slim. Make sure you never use it to publish blog posts either, as the author of every Post is easily uncovered.


Want to read more articles like this one? See 25 Ways to Improve WordPress Security


Sign Up for New Content