This tutorial discusses the importance of WordPress security and the immediate hazard surrounding the practice of using the ‘admin’ user account. We’ve written a tutorial describing how change the default admin username in WordPress. If you’re familiar with the aforementioned dangers, I suggest you skip to the tutorial part. Others can continue reading.
WordPress security is no trivial thing. In fact, given the vast number of direct brute-force attacks on the millions of websites powered by WordPress, one might think that webmasters devote 30-50% of their attention to the site’s security. Surprisingly, that’s not the case. Truth is, WordPress security finds itself right at the bottom, (if at all present), in a website’s to-do list. It is one of the most undermined factors in a novice webmaster’s list of concerns. In most cases, either of two things happen:
- The webmaster evaluates the site to be unimportant and hence not a potential target for hackers
- He simply forgets about the security aspect
Whatever the situation, you’ll be in a real jam when your site is hacked. We firmly believe that prevention is better than cure – that’s why we’re using Managed WordPress Hosting from WPEngine. It’s rock solid and comes with bullet-proof security. Our site hasn’t been hacked yet. Go ahead, we dare you! 😀 In the effort of carrying on our “prevent rather than cure” ritual, let’s talk about the WordPress admin (or administrator) account and learn how to plug that security hole once and forever.
What Is The WordPress Administrator Account?
Better known as the admin account, it is the default account name that comes in every new WordPress installation. Its user role is Administrator, which means it holds the highest access power in every WordPress site. It can inject malicious code, steal sensitive data and in the worst case – delete your site completely. In a nutshell, using admin as the username for an account with Administrative privileges (i.e.the Administrator User Role), is a huge security loophole.
Why? Glad you want to know. When a hacker wants to gain access to your WordPress site, he needs to decipher 2 elements:
- WordPress Username
- Corresponding Password
When most WordPress sites are running “admin” as their username, the hacker has 50% of his work cut out for him. He could simply start the brute-force attack (which is nothing but trying every possible character combination as the password) and sit back and sip his coffee, while the (massive) computer grid crunches 1000s of characters per second and destabilizes your server.
Now do you want to fall under that category? I am guessing pretty certain that you’re not. So let’s never, ever use admin as a username in any WordPress installation in the future. But what about the folks who already have their WordPress account with admin as a username?
Usernames are not changeable. That’s what we know (so far). So what can be done? Well, for starters, you can use a super strong password. An assortment of alphanumeric, mixed case and special symbols in your password with a length of around 35 characters, should take a while to decipher. However, if you wish to treat the hack boy to the full course (i.e. he must interpret both the username and password), then you should change the admin username entirely.
Delete Or Change The Admin Username
Option 1 is to create an entirely new admin account with a unique name and strong password, log back into your WordPress installation with the new admin account and then delete your old account. You should be prompted to reassign all of your old posts to another user (e.g. your new admin account). Option 2 is to change your current admin account using phpMyAdmin. Follow along with the tutorial below to see how.
Gain Access To phpMyAdmin
phpMyAdmin is a web-based GUI software which gives you interactive access to your server’s database. Some might call it a front-end editor for your database. Most shared hosting providers give access to phpMyAdmin and is available in cPanel. Once you get access, select your WordPress database. In our case it’s wpe-tut.
phpMyAdmin will list all the tables in that database. The tables shown in the following screenshot are the default ones in a WordPress installation. We want to select wp_users since it contains the value we want to edit.
Selecting The Correct Username
Now you should see a screenshot like this. Let’s study it carefully.
- ID: This is the bookkeeping variable. It is used to sequentially identify all the users that have registered in a WordPress installation. Since admin is the first user to be registered, its ID is 1. In this tutorial, we have used no other users.
- user_login is the variable storing the actual username of the user.
- user_pass contains the corresponding password, encrypted in MD5.
- user_nicename is the full name of the user
- user_email is the variable that stores the email address of that user
- display_name is how the username is displayed across posts and pages. For example posts by some users are shown as “Editorial Team” instead of “Joe Smith”
- The other fields present are not important for this tutorial.
We want to change the user_login field. Optionally we could change user_nicename and display_name. To do this, we select the Edit option.
phpMyAdmin will take us to the individual fields for the admin entry under wp_users.
We now change the values to suitable ones. I’ve changed mine to Sourav and its derivatives.
Once completed, click on Go to commit the changes. You should get a message like this:
Now when you check the wp_users entry, the admin username will no longer be present. You’ll find the value you’ve set user_login to, as the new username. That’s completes the working phase of our tutorial. Let’s test it out. We login to WordPress using the new username and the old password.
And booyah, it works!
WordPress clearly recognizes the new username. All previous data have been left unhampered. Remember, if you use a caching plugin, you must purge the entire cache, if you have a lot of posts submitted under the admin username. We can also check out our User Profile found under Settings. This is what we should get:
Changing the default WordPress admin account to something else hardens the security of your WordPress site. It is considered one of the best security practices for all WordPress webmasters and/or developers. If you’ve been using the admin username, it is high time you changed it.
This tutorial is 100% WordPress intensive. I’ve explained the WordPress’ database’s table attributes along with their respective purposes. Just follow the screenshots and you’re good to go. If you ever get stuck, the comment form is all yours. You could also ping me on Twitter. Over to you – do you know of another way to change the admin username of WordPress? Have an uber-cool security tip? Do let us know!