WordPress users, who prefer running their sites with a username as Admin, are more vulnerable to attacks.
For example, Brute Force attacks target users with common passwords for WordPress logins.
In this resource – we’ll cover why keeping (admin) username in WordPress; can create catastrophic damage to WordPress users.
You’ll also learn how to change the existing username’s data or proceed to create a new account.
Why shouldn’t you use the Username ADMIN?
Let’s address and briefly describe why running your WordPress site with username ADMIN is not recommended.
Brute Force attacks
As its name suggests – brute force attacks involve trying login combinations on a site’s login system.
For example – hackers target WordPress default login pages with common usernames, such as Admin, along with commonly-used passwords, such as Love1234, Admin1234, and cool@1234.
In simple brute force attacks – hackers target login pages with common usernames, Admin in this case – as used by most users of WordPress.
In this case, WordPress users with credentials such as Admin and common passwords are easily found by brute force attacks. Once this happens, attackers can log into victim sites.
So – if your site’s username is Admin, stacks of the site’s compromise are high.
Social Engineering scams
WordPress users with ADMIN as their handle fall victim to social engineering attacks – helping hackers exploit human psychology. Such attacks help hackers gain sensitive information from Admin users.
On sites where Admin accounts are created – hackers guess emails of admin, super, or power users on a WordPress site. This enables them to create and launch email hacks, quickly, easily, and are applicable in most cases.
For example – an admin can receive emails from suspicious people, not identifiable by WordPress beginners. Such emails look like they are from legitimate companies, helping hackers often trick admins into taking sensitive actions That could compromise their site’s security.
Real-Time attacks on Admin accounts
Hackers can also launch real-time attacks on admin accounts.
For example, if hackers access an admin’s account cookies, account takeover becomes easy for attacking agents.
In this case – clicking a simple link from the admin account may end up system errors. For example – by clicking a suspicious link, attackers store the admin’s cookies, alter, and resend HTTP requests to server’s infrastructure.
When this happens, attackers can access the admin’s account from anywhere, making cookie stealing applicable to get admin status on a WordPress site.
Run as Administrator
Admin accounts can perform any action on a WordPress site – including installation, backup, and restoration.
In such scenarios, if there is no backup system, actions taken by admin accounts are not reversible.
Having that clarified, if you’re not careful enough – you can damage your WordPress site as an admin. For example – changing user roles in WordPress can create loopholes in access controls, action levels, and site management.
Next, let’s learn how to change WordPress usernames’ data for security reasons.
Change data for existing Admin account
In WordPress, changing data for existing users is limited.
In this case, once you’ve logged into the Admin dashboard, you can proceed to the Users page and click Edit under username – as shown in the screenshot below.
On the next page, you can see – WordPress only allows changing passwords for existing accounts. In this case, once you’ve created a username, such as admin – changing usernames remains impossible in WordPress.
However – let’s address creating new user accounts in WordPress.
Creating new user accounts in WordPress
Instead of creating usernames with ADMIN, create new accounts with administrative privileges, having a different username.
For example – creating a user with a username as John and a complex password is recommended for WordPress users. In this manner – you can prevent brute-force attacks on WordPress admin accounts.
Let’s describe how to create a new account with administrative privileges.
Once logged into WordPress dashboard – head over to Users -> Add New page and click the Add New button.
Enter information for the new admin account on the next page, such as username, password, and access levels.
Here, ensure you avoid using the ADMIN as your new account’s username.
Note: Following the above mentioned procedures, you can create unique users with administrative rights in WordPress. At the same time, you can prevent hacking attacks that are applicable to admin usernames, such as simple brute-force attacks.
Professional Tips
- As WordPress allows creating accounts with different access levels, you can create accounts with limited rights, such as Author for creating and editing WordPress content.
- You can temporarily allow users to perform administrative tasks if required. For example, using WordPress plugins – you can make an author able to create new users on WordPress. Once the process has been finished, you can change accounts to the previous status.
- If you’re using multiple accounts in WordPress, make sure you’ve created admin accounts with unique identifiers. For example, adminposts, adminusers, and adminmanage are examples of admin accounts with different roles.
- You should’ve configured Two Factor Authentication (2FA) on admin accounts. It helps you create 2-step login verification for super users. When attackers gain access to an admin with 2FA enabled, successful login is not possible as WordPress asks to enter a code from the admin’s email or phone after entering a valid username and password.
Conclusion
Admin accounts in WordPress have super-level rights. Security concerns with common usernames can create problems for Webmasters.
In WordPress, at all costs, you should’ve avoided creating users with Admin as a username. Instead, create super users with names, such as, John as a username.
Lastly, you can manage users’ rights with point-and-click WordPress plugins, such as User Role Editor. It helps you quickly change users’ rights in WordPress dashboard – without learning how to code WordPress backend.
If you need more details on creating WordPress users and avoiding common usernames, such as ADMIN, join the conversation in the comments below and let us help you maintain WordPress users’ security.