WordPress Security: Create a New User and Delete the Default “admin” Account

Nov 4, 2009

This post tells you the simplest way to improve security on your WordPress website or blog.

Recently there was a big security scare for WordPress users. A “worm” (a form of automated malicious software) was traveling around the Internet trying to break into unsuspecting WordPress users’ sites. Even high-profile bloggers like Robert Scoble were caught without adequate file and database backups in place. Scoble lost a bunch of posts, and said he felt less certain of WordPress as a result.

But the fact is, Scoble should have backed up his site. At the very least, he should have checked with his host to see if they create automatic backups. (You should do the same with your host. Why wait until after something goes wrong to find out?!) If you don’t know how to backup your MySQL database and the files in your wp-content directory, now is a good time to learn. Your web host should be able to help. If not, let me know. If your site is hosted on WordPress.com, no worries! They make backups for you. However, you might want to do a Tools > Export in the WordPress Dashboard (save the .xml file to your hard drive) just in case! Unless you have an explicit agreement with WordPress.com about backing up your data, don’t expect to hold them responsible for data loss on your site.

Here are two good posts about WordPress security inspired by the latest worm scare:

How to Keep WordPress Secure
by Matt Mullenweg – WordPress.org

Old WordPress Versions Under Attack by Lorelle VanFossen

The first thing everyone with a self-hosted (non-WordPress.com) WordPress site should do is this:
Create a new User account with a not-so-simple username. The default username that comes with WordPress is “admin”. That usually comes with a crazy-difficult password. Unfortunately, most people then change the password to something easy like “mydogname” or whatever.

Worms trying to hack into your WordPress site know to try “admin” as a username because it works probably 70% or the time or more! Then they just have to hack your simple password and they’re done.

So do yourself a favor. Login to WordPress. Go to Users (under Appearance) > Add New User. Use a difficult username, something with upper and lower case letters at the very least. Not something obvious. Then use a difficult password, something with upper and lower case letters, at least one numeral and one special character like * or ( or % etc. Don’t worry about the username displaying as your name on the site. You can enter your first and last name, and then use the dropdown menu to tell WordPress to use that instead of the username after blog posts and such. Be sure to note the email address you use for your site admin (under Settings > General). You can use a different email address for each new user account you create.

After you have created the new user account, log out and then login with the new account to make sure it works. After you have done that, you can delete the admin user account. That way, worms won’t be able to use that username to hack into your site.

Again, this is the simplest way to improve security on your WordPress website or blog.

Comments: 9

9 comments

Good tip, obvious and easy to do. OK, have to leave – have to think of something different than admin..like 300 times…*hmmm*

Andreas

@Andreas
Thanks!

I don’t envy you having to deal with 300 WordPress accounts. I’ve got about 100 at the moment, and that’s getting unruly.

There are tools to create good passwords, of course, and the same can be used for strong usernames. The question is where to put all the information so that you can access it easily. Let me know what you figure out.

By the way, you’ve got a great looking website. Google makes it pretty easy to translate now, too. So I’m checking it out and following you on Twitter.

Here’s a great set of tips on how to create a strong password, along with a password strength-checking tool. Thanks, Microsoft!

There are plugins that allow you to change the username “admin” to something more of your liking. I believe there’s one called “Username Switcher” and searching for that brings up several results.

It seems to me that changing the username (via a plugin) has the same net positive result as creating a new user and deleting the default “admin” one.

Do you agree? Or is there some reason I haven’t thought of that makes that a less-good idea?

Thanks for this detailed, informative post.

@Wendy
Thanks for commenting! Great question.

I haven’t tried a plugin to change the “admin” username myself, but it accomplishes the same thing as adding a new user and deleting the old, so it sounds like that would work. It’s going to make it way harder for a worm to crack your username plus password if you replace “admin” with something less obvious. The tips I mention in my previous comment above are helpful for this.

Rather than add a new user you can simply edit your sql database through phpmyadmin – change the name admin to something more secure.

@Mark
Thanks for the excellent tip. This is what the plugins @Wendy mentions above do, but your method is for those who are fearless when it comes to editing a database directly using phpmyadmin. Not everyone is ready to make that leap. Knowing how to use phpmyadmin certainly gives you more control over your site.

For those interested, Mark has a post about how to make the change here: The 5 Minute Secure WordPress Install

Thanks for a great post. This prompted me to write up how I modify the admin account on new WordPress installations on my blog. The post is at http://blog.ianroke.co.uk/2010/01/dumb-down-admin-account-new-wordpress-installations/ if you are interested.

I take the slightly different approach of creating a new user account with admin rights, then changing the rights of the admin account to a subscriber and giving it a hard to hack 14 character randomly generated password.

Interesting read thanks. Ian.

@Ian
Thanks, Ian. Nice post. You have a great teaching style. Yours is a good alternative when it’s not possible to delete the admin account altogether, which I have seen in some cases. I haven’t taken time to find out why some WordPress installations will allow an Administrator to delete the admin account and others will not. If anyone has, I’d like to know.

Leave a Comment