WordPress websites are under constant attack and one of the ways that hackers gain access is simply by logging in. Not just as anyone, but as you, the administrator. Here’s how to make it harder for them by changing your admin account.
Hackers will try obvious usernames and passwords for your website and they try to guess what your login details might be. You would be surprised by how easy it is to guess the login details of some websites and it is a serious problem that needs to be fixed. How? By making your admin account hard to guess.
It depends how your web hosting company sets up a new WordPress installation and these days it is much better than it used to be. At one time it was common to create a default account called admin and as the owner of the website, you would log in with the username ‘admin’ and a password.
There must still be a lot of websites around that have ‘admin’ user accounts because it is one of most attacked usernames. People or bots (automated programs) scour the web looking for weak WordPress logins.
Take a look at this (from Wordfence, which is covered later in this WordPress Security course).
The admin user account has a lot of failed login attempts from hackers and bots (automated software). They cannot get in because the account does not exist.
You can also see that attempts have been made to log in using the name of the website. That is another obvious account name that hackers try. You might want to test your website and create a user account called test and so hackers have also tried this.
When none of these accounts exist, it increases the website security. Take a look at your admin account username. Is it an obvious one that someone might be able to guess? If so, change it.
1 View WordPress user accounts
Select Users in the sidebar in WordPress. If there are several users, click the Administrator link at the top to list only users with admin access. These have the power to change anything and are targeted by hackers. They are a security risk and should be changed.
2 Create a new admin account
If your admin user account is too obvious, create a new one. Click Add New.
Creating users is straightforward and the only required information is a username and email address.
Each user must have a unique email address, so you cannot use the same one as your current admin account. Do you have another email you can use?
Many email services allow you to create extra addresses. For example, if you use Gmail and your email is email@example.com you can enter a ‘.’ anywhere in the name, such as firstname.lastname@example.org and Gmail treats it exactly the same. Emails to email@example.com and firstname.lastname@example.org both land in your Gmail inbox.
WordPress treats them as different and this is a useful way to add an extra user without having to add an extra email accounts. Outlook.com and Yahoo! Mail also allow you to create extra email addresses.
Make sure that this user is set as an administrator in the Role menu at the bottom.
3 Log out of WordPress
A new account has been created, so log out of WordPress by clicking Log Out on the menu in the top right corner of WordPress.
You now have two admin accounts, the old one and the one you just created.
4 Confirm your account
After creating a new user account, WordPress will send an email to the address given in the account setup. Check your email inbox for new messages and then click the link in it to confirm your account. Follow any instructions displayed.
5 Log in to WordPress
With a new admin account set up, return to your website and log in at www.yoursite.com/wp-admin
6 Delete your old account
Go to Users and check that you are indeed an admin user. Create, edit, or publish a post to confirm that your new account is working OK. Then return to Users, select your old admin account in the list, then use the Bulk Actions menu to delete it.
Your website security has now been increased by removing the obvious account name.
- Check your user account name. Is it too obvious?
- Create a new user account
- Set it as an admin
- Log in with the new admin account
- Delete the old admin account with the obvious username