Up through WordPress 3.0 the default admin username was ‘admin’, and you couldn’t change it. WP 3.0 was released on June 17, 2010, but there are still blogs out there using admin as one of the administrative user names.
If you’re one of them, change it now!
Password Hacking Bots
There are computers out there on the internet that do nothing but go from website to website looking for stuff. Most are good and follow a set of standards and want nothing other than to index what’s on the sites they find to make it easier to find. Think Google, Yahoo, and Bing. These are the bots that you want coming to your site.
Unfortunately, there are also bots out roaming the internet that are up to no good. And one of those types of bots does nothing but look for WordPress sites, and when it finds one it’ll try to login by guessing usernames and passwords.
Now, it’s not that WordPress is unsecure and these bots are just going for an easy target. Any content management program could be targeted. It’s just that WordPress is insanely popular. It’s the same reason that there are thousands of viruses written to target Windows computers and very few targeting Macs. It’s a numbers game.
It found me, now what?
Once one of these bots finds your site, or any WordPress site, it starts trying to login. And to login it has to know two things – a username and a password.
And this is why you don’t want to use ‘admin’. These bots know that admin is the default, and on older WordPress blogs there is an account named admin. So that’s the username they’re most likely going to try; although administrator, test, and root are popular choices as well. And if they figure out the first half, all they need to do is guess the password.
On another blog of mine there are currently just short of 5,300 IP addressed blocked from trying to login. There’s a plugin that we’ll talk about in just a bit that takes care of that for me. Of those 5,330 tried logging in using some form of admin – admin, adm, or administrator were most common with adminadmin and some other variants thrown in. The is only one lock out using a username that exists on that site and it was from me when I forgot my password.
If the bot does manage to find a valid username / password combination they’ll be able to pass that along to a person who can then login to your site and do anything that you could do – change pages, link to other sites, delete stuff, whatever.
So, what can I do?
Best bet is to not use admin as the username when you first create your WordPress site, and then it’s not an issue. But I have had a couple of sites that were upgraded from before WordPress allowed a different username so that’s not always an option. If it’s not for you, there are a few choices.
First is to make sure you’re not using admin as your username. Unfortunately, WordPress won’t let you change an existing username. There are reasons for this related to the database, but for now we’ll just go with you can’t do it and go on to what will work.
Easiest fix is to simply create a new username and give that account admin permissions. Then, log out, log back in with the new account, and delete the ‘admin’ account.
A couple of caveats for this. First, when you delete a user with posts WordPress will prompt you for what to do with their posts. You’ll want to reassign them to your new, non-admin named account. And second, comments made from the admin username may not show the correct avatar. It’s possible to go and edit the database directly, but that’s a bit messy.
Another option is to, instead of deleting the first admin account, just give that account such a long, random password that it’s unlikely to be guessed. I did this on another blog where I didn’t want to have to reassign all the comments and posts. I used a tool similar to this to create a password with about 50 characters and then never used that account again. Yes, eventually it could still be guessed, but we are talking about a huge number of potential combinations and that plugin mentioned earlier will help with that.
There are also plugins for WordPress that can change the username. Haven’t used one, and always thought it was odd that if a plugin can do it, WordPress can’t out of the box.
And if you’re feeling really adventurous you can edit the database directly.
Okay, you’ve got me worried!
This is one of those things you just can’t worry too much about. Yes, there are bots scanning your site. But you do want to follow a few steps to make your WordPress site as secure as you can.
First, don’t use ‘admin’ as your username. You probably figured this one out already since it’s the point of this whole post. But I’ll put it here again just in case.
Next, make sure your password is somewhat difficult to guess. The most popular password in 2012 was password. The people that write these bots know common passwords and try them before going through randomly.
And, you can install the Limit Login Attempts plugin. This plugin gives you the ability to limit how many times a specific address can try to login before getting locked out; and you can also set how long that lock is for.
There are other similar plugins and entire companies that help with your security. Just haven’t used any, so don’t have anything to say.
If you want to go straight to the source, the WordPress Codex has an article on Hardening WordPress that’s probably worth a read. Fairly technical in places, but a good place to start.