How To Remove The WordPress Admin User Account
If you’ve been on the internet in the past week or so, you’ve probably heard about the spate of “brute force” attacks that have been made on WordPress sites, specifically targeting accounts with the username “admin.” It has always been a security best practice to not use this username, or any other similarly generic one but the recent attacks have highlighted the issue to the masses, which is really the silver lining here.
The reason “admin” is the target is because it is the default username that is assigned upon installation of WordPress. If you install WordPress through your hosting control panel, you are usually, but not always, given a chance to change that before installation, but many unsuspecting folks, especially new users, may not see a reason to change it. So now a hacker has 50% of the information that he needs to get into your site. Since most people use extremely weak i.e. simple, passwords, hackers can automate the submission of zillions of attempts at guessing your password. If your password isn’t strong, they have a good chance of gaining access.
So the easiest step you can take in securing your site is to delete the admin user account if your site is using it. To verify whether it exists (even if it’s not the username you are personally using) simply log into your site and go to Users > All Users and look in the Username column for “admin”. If you find it there, skip to Step 5 below. If you yourself log in using the name “admin” you must take the following steps:
- Click Add New and set up a new user account with a different username
- Give this account a STRONG password. Random numbers/letters/characters are best. This won’t be a problem for you if you use a password manager like 1Password or LastPass.
- Assign the role of Administrator to this user.
- After creating this account you then need to log out of the “admin” account and log back in using the new credentials you just set up
- Go to Users > All Users and mouseover the admin name – you will then see the “Delete” option. Click Delete
- On the next screen you will be asked if you want to assign all the posts that were created by “admin” to another user (yes you do!) – choose your new user account and then confirm the deletion.
Congrats! Your site is now more secure.
Other small steps you can take:
- Install the Limit Login Attempts plugin which is designed to prevent brute force attacks.
- Make sure you’re running Cloudflare on your site. Cloudflare can intercept a lot of attackers before they even reach your site and took a proactive stance when these attacks started happening.
If you are ever in the unfortunate situation of having your site hacked, I recommend you contact Sucuri to clean it up for you. They are the leaders in web security and for a low fee will clean your site and provide monitoring going forward.
Great tutorial. Highly recommended that the admin username be removed on all installations of WordPress.
I've read on the Cloudflare blog that their systems can detect and stop brute force attacks.