How to Change WordPress ‘admin’ username for Security Reasons

Blog Hackers try “admin” username First!

If a hacker tries to break into your account, they assume that your WordPress login username is “admin”.   If they are correct, then they have a better chance of breaking into your WordPress blog or website. Now they only need to guess the correct password. So to make your site safer, simply change the “admin” username to something else!

Who Cares about WordPress Security?

In the beginning of April 2013, there was a wave of hack attacks on WordPress blogs and websites.  If you were not affected, consider yourself LUCKY not SMART!   Here’s some more information on the recent Brute-Force attacks on WordPress blogs and websites.  The point is to prepare yourself for the next wave of attacks!

What are Brute Force Attacks?

Brute-force attacks on WordPress sites are basically computer programs that try thousands of different usernames and passwords on the WordPress website login page until they get a combination that works.  These software programs try many different WordPress login username and password combinations on random sites, until it finds a login / password combination that works. Don’t let that happen to your WordPress website.

Many times these programs will assume that your WordPress login username is “admin”.   This is an excellent guess at your username because so many WordPress blogs and websites have this login username as the default.  So now the computer software program only has to guess the password that you used in combination with the login username called “admin”.  You’ve just made the job of hacking into your site significantly easier for the hacker and their automated software programs. You don’t want to do that!

So the first step you should take in making your WordPress website more secure is to simply change the login username from “admin” to something else.

Here’s another great post from a great blogger Nile Flores about Brute-force attacks on WordPress sites and some other things you can do to keep your site safe.

I just got an email today from the developer of one of my favorite WordPress Security Plugins — Wordfence.  The email contained the following excellent written steps for changing the WordPress login username.

To rename your WordPress ‘admin’ user:

  1. Sign in as ‘admin’.
  2. Create a new user in your WordPress site.
  3. Choose a hard-to-guess username, but don’t make it so difficult that you’ll forget it.
  4. Make sure that the new user’s role is “administrator”.
  5. Choose a password that has upper and lower-case letters and numbers in it. Symbols are OK too. (symbols like: #@%&*^).  Never use the word ‘password’ in your password, even if it has a different case and includes numbers.
  6. Click “Add new user”.
  7. Logout as ‘admin’.
  8. Login as the new user.
  9. Delete your old ‘admin’ user and assign all posts/pages/comments to your new admin user.
  10. Congratulations, you now have a more secure WordPress system.

 Video Tutorial on Changing “admin” User

In the video below, I have created a short, simple video tutorial on how to change the “admin” username on your WordPress website:

And here’s another recent post from WPBeginner on how to change your WordPress username using phpmyadmin and your WordPress MySQL database.

Please leave a comment to share your experiences or let me know what you think of the video.   Thanks!

 

Article Written by Jim Landers aka “Jupiter Jim”

 

 

Meet the Author

Jupiterjim
36 comments… add one
  • Farrell John Conejos May 1, 2013, 11:08 am

    Hey Jim,

    Come to think of it, many WordPress sites usernames are “admin” and like what you’ve said, it has a bigger chance to be hacked down because it is very common. Well, from a saying that goes “prevention is better than cure”, it very fits well in situations like this and that “us” (I also use wordpress) should prepare our sites with security and care for we may never know when this Brute-force attacks or other hacking software’s or systems will try and attack our sites again. Changing usernames would be a good solution for it. By the way, thanks for sharing how to change usernames in WordPress powered sites. It would definitely help a lot of people who uses WordPress.

    • jupiterjim May 1, 2013, 12:37 pm

      Farrell John,

      I appreciate your thoughtful comment and feedback!

  • Yorinda May 1, 2013, 3:49 pm

    Hi Jim,
    thanks for the very helpful post and video.

    Fortunately, I had changed this long before the attacks were happening.
    A while someone mentioned that it also would be good to delete it in your files on your hosting account??

    I will share this so more people can get this useful information.
    Cheers,
    Yorinda

    • jupiterjim May 2, 2013, 7:18 am

      Yorinda,

      Thanks for dropping by and thanks for sharing!

  • George Zapo May 2, 2013, 7:13 am

    Thank you, Jim! You provided some vital and valuable advice and I appreciate it!

    • jupiterjim May 2, 2013, 7:17 am

      Thanks for the feedback, George!

  • Steve Borgman May 3, 2013, 6:44 pm

    Jim, thanks so much for this tutorial! I’ve read so many times that we need to change from admin to a different user name, but I was too overwhelmed with the How. Thanks for showing us the way!

  • jun May 4, 2013, 9:49 pm

    Thanks for this security tip… a very useful for every site owners that use wordpress as platform….nice share

  • Sarah Arrow May 5, 2013, 1:13 pm

    Thanks for this handy tutorial Jim. I use a variety of user names, and haven’t had one called admin for a long time – but as you correctly point out this can be set in place for you when you auto install WordPress. You can sometimes change it at this level, so keep an eye out on your new installations.

  • Clare May 5, 2013, 4:11 pm

    Hi Jim,
    so glad you were able to help me today with my login for my website – you changed the username – thank you!!

    regards
    Clare

  • Clare May 5, 2013, 4:22 pm

    hi Jim,

    checking again. hopefully I am getting lots of credit for this one!!

    Clare

  • Boca Raton Web Design May 5, 2013, 9:32 pm

    As web designer I’m amazed at how many people keep their usernames as “admin”. It’s very important to have something different, thanks for sharing these tips on how to accomplish that!

  • Lauren Conrad May 6, 2013, 12:50 am

    This is so cool! Thanks a lot Was wondering how to do this.

  • saanvi May 7, 2013, 5:00 am

    I REALLY appreciate this info. I am new to WordPress, and you helped me set up my website to how I wanted it. Makes it more personal having a real name rather than “admin”. Thanks

  • daniel May 7, 2013, 9:05 am

    very good tips on security. changing your password from time to time it’s also a good idea.

  • Chery Schmidt May 8, 2013, 10:46 pm

    Hi Jim! I did change my password as well as added a security plug in but never knew that I should also change my user name. Now I know how to do it too.. Thanks for the great information.. Chery 🙂

    • jupiterjim May 9, 2013, 11:16 am

      Yes, that’s critical, Chery. Glad I could help.

  • Tilden May 9, 2013, 4:11 pm

    I’m a new blogger and just subscribed to yours — thanks for the bonuses and the really useful videos you’ve made.

    As far as changing away from admin: my WP theme tells the world that admin posted such-and-such. If I change to abc, I imagine it will say that abc posted such-and-such. Wouldn’t that reduce the security benefit of the name-change considerably? If so, do you know of a work-around?

    Cheers!
    Tilden

    • jupiterjim May 9, 2013, 5:38 pm

      GREAT Question! When you create the profile, make sure that your name or nickname is different than the login name, that’s all. Thanks for subscribing.

      • Tilden May 14, 2013, 3:12 pm

        Worked great — thanks! The only surprise was that I couldn’t use the same email I’ve been using for Admin until after I deleted Admin.

        • jupiterjim May 14, 2013, 6:52 pm

          You’re exactly correct. I didn’t go into that in the video, but maybe I should have. Thanks for pointing that out in case I ever re-do the video!

  • Clint Butler May 10, 2013, 10:18 pm

    Great tutorial Jim, really easy to follow the steps. I was wondering, at one time I knew of a plugin that would do this for you. It would also go through your whole installation and check to make sure its safe from hackers by changing file permissions and other things. Do you know of one that will do that?

    • jupiterjim May 11, 2013, 7:49 am

      Try WP Security.

  • DeAnna Troupe May 11, 2013, 7:07 pm

    Hmm. I know I’ve changed admin on my main blog, but I may need to change the user name on some of my other blogs.

  • Joan Hampton May 14, 2013, 7:00 am

    of April, all of a sudden a hundred or so of our servers popped up in our monitoring system with abnormally high load. When we dug into it, we found that ALL our servers in the US are under a brute-force attack that targets WP and Joomla sites. The botnets were using more than 1000 different IP addresses per server (we’ve blocked logins of more than unique 92,000 IPs so far) and tried to guess the passwords at a unique pace. At this point I was furious, now it was not about few websites with weak passwords that were hacked, but about endangering our server performance. Our goal now became to stop the attack immediately and once for all. Therefore, I gathered the security team and a few moments later we had a temporary solution that took place immediately and an idea how to permanently stop those botnets, forever. I will not go into details in terms of what we did, cause chances are some of those hackers running those same botnets would read it and will try to outsmart us, but the facts show that for the past 12 hours we have blocked more than 15 million bruteforce attempts (That’s A LOT!) towards our clients and our servers are not experiencing any load issues.

    • jupiterjim May 14, 2013, 10:47 am

      Wow, that is an amazing story! I am so glad you were able to figure out a solution to block more than 15 million brute-force login attemps! Thanks for sharing!

  • Pearly Quah May 14, 2013, 1:01 pm

    Hi Jupiter,
    You are providing valuable tips here. Your tutorial is definitely useful for anyone to follow the step by step guide to change the user name. That is an awesome tip.

    Jupiter, thank you so much for sharing 🙂

    Cheers 🙂
    Pearly

  • nick catricala May 21, 2013, 8:15 pm

    Jim,
    thanks so much for your great tutorial on how to safegardourselves from what it is called “brute attack” on wordpress… I was one of the LUCKY not SMART smart person who did not get any troubles.. but as you say, I was just Lucky since I did not use the “admin” username…

    I was a way for a while and missed many of your great blog post and tutorials.. hope I will catch up soon and be able to learn much more from you.
    Thanks so much again.
    nickc

    • jupiterjim May 23, 2013, 11:53 am

      Nick,

      Glad you are back and glad I can help! Glad you are lucky! Thanks for dropping by!

  • Aqiyl Henry@plant based diet Jun 4, 2013, 8:33 pm

    You make a very good point about changing the admin name. It is not difficult to pick out a Wordpress site, and if you keep the admin login you have just made it a little easier to hack an admin account. There are a lot of Wordpress user who don’t change the name on the “admin” account.

  • bodynsoil Jun 5, 2013, 4:31 am

    With the rash of attacks we’ve had lately, I’ve taken the time to make this change myself. Thank you for this information and explanation on how to get the job done easily.

  • Nile Jun 16, 2013, 1:26 pm

    Any WordPress user could have the ‘admin’ username, but because of it being so highly hacked on, you would have to have a really good and long password to survive from being hacked.

    If you are changing your username from WordPress by creating a new usering and removing the other, remember that if you have a multi-author site, you will have to attribute those posts to a different user either through SQL first OR manually.

    My recommendation is to change the username in the MySQL if your site has more than one author. Of course, I do it regardless as it is much faster and I don’t have to redo passwords, bios, etc…

  • Yorinda Jun 18, 2013, 11:59 pm

    Hi again,
    the other day I was sorting out my database in the host back office and I was amazed how many login attempts there were with ‘admin’ or similar ones!

    I will share this again, so more people may get to change this important aspect.
    Thank you so much, Jim! for the great tutorial!
    Cheers,
    Yorinda

  • Memtal Jun 22, 2014, 1:06 pm

    Last year almost every week one of my blogs were hacked. This year hacking seems to be less and I have taken some measures to combat it as well. It is terrible to see all sorts of rubbish on your site and you may not realize for sometime that can cause penalties and all sorts of problems for your site.

    Solutions like this only take a minute or less and pretty effective. You can also update your WP site often and thick the box that says “limit the login attempts”. It is always better to be safe than sorry.

  • Amrish Aug 12, 2014, 12:21 pm

    wow… how many people don’t update their username on creation?
    And changing the record in the database without following the chain of records that the original input created is just… wrong. I wouldn’t be giving anyone this advice without a disclaimer. At least it says the easiest way (it should be the recommended way) is to create a new user and attribute all posts to it then make sure that the old user ID isn’t being called from anywhere, if it is update it.

Leave a Comment