Comments on: WordPress Security: Create a New User and Delete the Default “admin” Account

By: Mark McLaren

Mark McLaren — Tue, 19 Jan 2010 16:29:38 +0000

@Ian
Thanks, Ian. Nice post. You have a great teaching style. Yours is a good alternative when it’s not possible to delete the admin account altogether, which I have seen in some cases. I haven’t taken time to find out why some WordPress installations will allow an Administrator to delete the admin account and others will not. If anyone has, I’d like to know.

By: Ian Roke

Ian Roke — Tue, 19 Jan 2010 10:44:41 +0000

Thanks for a great post. This prompted me to write up how I modify the admin account on new WordPress installations on my blog. The post is at http://blog.ianroke.co.uk/2010/01/dumb-down-admin-account-new-wordpress-installations/ if you are interested.

I take the slightly different approach of creating a new user account with admin rights, then changing the rights of the admin account to a subscriber and giving it a hard to hack 14 character randomly generated password.

Interesting read thanks. Ian.

By: Mark McLaren

Mark McLaren — Wed, 04 Nov 2009 20:29:36 +0000

@Mark Thanks for the excellent tip. This is what the plugins @Wendy mentions above do, but your method is for those who are fearless when it comes to editing a database directly using phpmyadmin. Not everyone is ready to make that leap. Knowing how to use phpmyadmin certainly gives you more control over your site. For those interested, Mark has a post about how to make the change here: The 5 Minute Secure Wordpress Install

By: Mark

Mark — Wed, 04 Nov 2009 20:15:36 +0000

Rather than add a new user you can simply edit your sql database through phpmyadmin – change the name admin to something more secure.

By: Mark McLaren

Mark McLaren — Wed, 04 Nov 2009 17:54:41 +0000

@Wendy
Thanks for commenting! Great question.

I haven’t tried a plugin to change the “admin” username myself, but it accomplishes the same thing as adding a new user and deleting the old, so it sounds like that would work. It’s going to make it way harder for a worm to crack your username plus password if you replace “admin” with something less obvious. The tips I mention in my previous comment above are helpful for this.

By: Wendy Cholbi

Wendy Cholbi — Wed, 04 Nov 2009 17:31:34 +0000

There are plugins that allow you to change the username “admin” to something more of your liking. I believe there’s one called “Username Switcher” and searching for that brings up several results.

It seems to me that changing the username (via a plugin) has the same net positive result as creating a new user and deleting the default “admin” one.

Do you agree? Or is there some reason I haven’t thought of that makes that a less-good idea?

Thanks for this detailed, informative post.

By: Mark McLaren

Mark McLaren — Wed, 04 Nov 2009 14:43:20 +0000

Here's a great set of tips on how to create a strong password, along with a password strength-checking tool. Thanks, Microsoft!

By: Mark McLaren

Mark McLaren — Wed, 04 Nov 2009 14:19:34 +0000

@Andreas
Thanks!

I don’t envy you having to deal with 300 WordPress accounts. I’ve got about 100 at the moment, and that’s getting unruly.

There are tools to create good passwords, of course, and the same can be used for strong usernames. The question is where to put all the information so that you can access it easily. Let me know what you figure out.

By the way, you’ve got a great looking website. Google makes it pretty easy to translate now, too. So I’m checking it out and following you on Twitter.

By: Andreas Ostheimer

Andreas Ostheimer — Wed, 04 Nov 2009 12:44:22 +0000

Good tip, obvious and easy to do. OK, have to leave – have to think of something different than admin..like 300 times…*hmmm*

Andreas