The danger of the ‘Admin’ username and how to change it!
You may have had your WordPress installation set up by a webmaster or done it yourself. Unfortunately some webmasters are sloppy and you may be unaware that using ‘Admin’ for your WordPress username is a huge security risk for your site.
In fact recently one of my clients had over 300 access attempts from different computers in one morning to try and crack the password for their blog. Fortunately I was running Wordfence (a security plugin) which discovered each attack and blocked the user from accessing the site again.
Why is it a security risk?
If someone knows your username it doesn’t take much computing power to run a program which can uncover your password. Once they have the password someone can hack your blog quite easily. You can be locked out, have phishing software added or have other dubious sites running off your domain.
These are all damaging, time consuming and frustrating situations to be in. How do I know? It’s happened to me a few times. Recovering from such an attack steals time, money and energy and could put your reputation at risk if not caught early.
So what do you need to do to change your WordPress username?
Here are the steps you need to take:
1. Login to your WordPress dashboard with your current ‘Admin’ username and password.
2. On the dashboard on the left hand menu click on ‘Users’ (usually just below ‘Plugins’ and above ‘Tools’).
3. Click on ‘Add New.’ The following screen will appear: (Click to enlarge image below)
- Enter your new details making sure your WordPress username is not obvious (for instance the name of your blog or your name).
- Make sure your password is not easy to guess.It’s surprising at how many people use ‘qwerty’ or ‘12345678’ as a password! It’s asking for trouble.
- Send the password to yourself by email by ticking the box so you have a record of your username and password handy.
- Change the role to ‘Administrator’. This is essential – if you do not change this you won’t be able to delete the old ‘Admin’ user in the next steps.
4. Log out of the dashboard and log back in again using your new WordPress username and password.
5. Click on ‘Users’ again and choose ‘All Users’. You’ll get a screen with two users. Your old ‘Admin’ WordPress username and the new username you’ve just created. Make sure the new username role says ‘Administrator’. Your new username will be on top.
5. Click on the box beside the old ‘Admin’ user.
6. Click the Down Arrow beside ‘Bulk Actions’ and choose ‘Delete’. Make sure you have just clicked on the ‘Admin’ user and it’s the only one that has a tick next to it.
7. Click ‘Apply’. You will see the screen below appear.
Note: You can also hover your mouse over the old ‘Admin’ user and a red ‘Delete’ link will appear. Clicking on this will take you to the screen below too.
Then click on ‘Confirm deletion’.
It is wise to check to see that the new WordPress username has been applied to all of your posts instead of ‘Admin’ which has now disappeared as if by magic.
And that’s it. Not too taxing or technical. Follow the process above and that task which may have been on the back-burner for some time has been ticked off the list.
Plus you’re secure in the knowledge that any future attack on the site using the ‘Admin’ username will fail.
Note: The WordPress interface is always being updated so check the date of this blog post. This process may not change but the screens you see might.
Happy blogging and please give me any feedback where you feel the explanation about changing your WordPress username falls down and could be improved.
Additional Note: It’s always good idea to have someone cast an eye over your work. My good friend Sharon Jackson from Path 42 pointed out that you need to make sure that your username is not visible on your blog posts. If you do not specify on your profile how you want your name to appear, it will use your username.
To fix this click on ‘Your Profile’ under the ‘Users’ tab and scroll down where it says ‘Display name publicly as:’ Use the down arrow to choose what you want shown. Best bet is to use your name if you want it to show up in the search engines or if you want to be anonymous use a nickname.