Why You Should Never Have an ‘Admin’ User Account in WordPress


If you set up a WordPress installation with ‘admin’ as the default administrator username you’re opening up an easily exploited security hole. If your site is subjected to a brute force attack, you’re playing right into the hands of the attacker.

A brute force attack is password guessing and it’s very common. An attacker will try various combinations of usernames and passwords until they find one that works. Once they’re in they can do what they like, including compromising the site with malware.

I recently installed the Sucuri plugin on a site I knew had come under attack, and I set it up to send me an email notification every time there was a failed login attempt. In less than 24 hours I’d had 98 alerts telling me that someone had tried to get in using either ‘admin’ or ‘adm1n’ as the username.

If the site in question actually had a username called ‘admin’ then half the battle would’ve been over for the attacker. If it’d been coupled with a common password then they’d probably be in. That’s why it’s important to choose a username which has no relation to admin or the site name, and a good password. One way of doing this is to use a secure password generator.

You can also help by restricting access to the login page itself to only approved IP addresses.


Leave a Reply