If you are using Admin or Administrator as a username on WordPress you are breaking one of the simplest security measures going. However, WordPress does not provide a simple way of changing the username. It is still possible and very easy. Just follow these steps!
First though, why is it so important? Well look at these recent attempts to break into this blog. All are using one of 3 predictable user names (and this attack went on for over a day, a few attempts per minute from different IP addresses, until I closed it down with a clever plugin).
Because my username is none of the 3 being tried the hacker stood no chance. Even had they stumbled onto the correct password, the mismatched userid protected my site.
It’s almost like having 2 passwords to guess – they have to guess userid & password at the same time.
Unfortunately it’s not as simple as editing the username. However, the steps required instead are very simple once you know the sequence!
(If you can’t read any of the images click to enlarge).
You can’t rename your admin user, so create a new one. Give it a username that you can easily remember (however you can save it and your password into your browser).
You will need a separate email address to your main account for this, but if you are self hosting hopefully you can create email addresses and by using a separate email address you add a further level of security.
Give this new user the maximum “role” available – Administrator and then Add New User to finish creating them.
Click on the confirmation email to activate the account, sign off as the current user and sign on as the new user. That’s the difficult part sorted!
Step 2 – Edit User
Go to Users, click Edit under your new Admin user and scroll down to Nickname and enter your chosen name. This is the name that we will be displaying on all your posts as your author name.
Just entering your nickname isn’t enough, WordPress won’t use it yet. Look at the drop down box below “Display name publicly as”. Expand the box to see the 2 names and tap your nickname.
Now hit save. From now on you have an admin user that is not obvious and you are hiding your login name. However, you still have that Admin / Administrator or whatever userid lurking.
Step 3 – Get Rid Of Old Admin
There’s 2 ways of doing this. The easiest (but least secure) is to simply edit the old Admin user and set their role to subscriber. Now, should someone break into the userid then at least they shouldn’t be able to do any damage.
The more secure way is to delete the userid fully. First, make sure you have a backup of your database (if you aren’t making backups already, look at my list of security plugins for a suggestion).
Just select “Attribute all content to:” and from the drop down box chose your new userid (probably the only one there). Double check that the delete option is not ticked and then Confirm Deletion.
That’s it. A bit long winded but you have effectively changed your userid by deleting and creating a new one.
There’s plenty more security steps to apply – have a look through my list of security plugins. That list will be being updated shortly too as I have another one that I think is essential and that in the last week has prevented most hackers even being able to start to attack the blog!
If you are interested in that, then subscribe to the newsletter, follow on Twitter or both and you’ll be the first to hear about the updated list.