The Hidden Dangers of the WordPress Admin User

DISCLOSURE: This article may contain affiliate links. Which means we make a commission, at no cost to you, on products and services we recommend that you decide to buy. Read our full disclosure here.

If you use the default WordPress username – admin – on a self-hosted site, you should seriously consider deleting it as you are potentially leaving your site open to hackers.

Don’t worry – you can switch all posts assigned to admin to another user…more on how to do that further down the page.

In 2013, the BBC reported a spate of attacks on WordPress powered sites by a rogue botnet (a network of hijacked home computers, typically controlled by a criminal gang). It’s looking for sites using the admin username and tries thousands of passwords to gain access.

BBC News Report on Bot Attack on WordPress

Matt Mullenweg, co-creator of WordPress, said on this blog:

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

If Matt Mullenweg’s advice isn’t enough, have a look at this image from another of my sites. It’s a screenshot of somebody (or some bot) trying to log in using the inactive username admin and a password straight out of the dictionary.

(Click on the image for a better view.)

Admin Hack Attempts

As you can see from the time between each attempt to log in, it’s lame compared to a targeted attack by a botnet trying hundreds or thousands of passwords per second. The reason I’m showing you this image is to alert you to what could be happening on your site without your knowledge.

If I wasn’t running the ThreeWP Activity Monitor (now obsolete – update Nov 2015), I wouldn’t know anything about these attempts to log in.

The easiest thing you can do to secure your site is to use a hard to guess username and password combination.

Using a very secure password alongside the admin user may make it more difficult to hack your site, but if your password is in the dictionary and/or you changed common letters such as e, o or i for numbers such as 3, 0 or 1, you may still be open to attack. Switching numbers for similar letters come from Leetspeak: an alternative dictionary for use online. It’s well-known in the hacking community and provides little resistance to software designed to guess passwords at the rate of thousands every second.

I hope what you’ve just read opens your eyes to the vulnerability of the admin username, which WordPress uses by default and millions of bloggers are either too lazy to change, or they don’t realize they’re partially opening a door for attackers.

Dealing with the admin user

When it comes to brand new installations of WordPress, always change the username to something other than admin.

WordPress is such a popular platform these days, most web hosts offer a one-click installation process. As you go through it, check each section and when it comes to choosing a username, pick something other than admin. Once you’re all set up, choose a nickname to display on your site.

If you’ve blogged for a while using the admin username, you can easily switch all that content to another user and delete the admin account. Before you do this, make sure you have a backup of your site for when something goes wrong.

Here’s how to do it…

If you don’t have another account with admin rights, you must create one.

How to create a new WordPress user account

In the left-side menu navigate to Users and click on Add New. You will see a screen like this:

WordPress Add New User

There are four steps:

  1. Think of a username and enter it into the username field. The username cannot be changed and it’s only used for logging in. Each user can choose an alternative name to display publicly, if your site displays author names.
  2. Enter the email address for the user. WordPress uses this email to send password reminders and contact the user.
  3. Enter a new password.
  4. Change Subscriber to Administrator so the new account has full control.

Now you have created the new account, log out of WordPress and log back in using the new details.

How to delete the admin user

Navigate to the Users screen via the left-side menu. If you only have two users the list looks something like this:

Delete WordPress User

Click on the Delete link for the admin account.

On the next screen, you get the option to delete all posts by the user or re-assign them to another user. As we want to re-assign the posts, we click the radio button next to that option and use the pull-down menu to choose the account we want to use.

Assign User Posts

Now hit the Confirm Deletion button and the account is gone, with all posts attributed to the new user.

I’ve done this several times now and each time it’s worked flawlessly. However, you should backup your site for when something goes wrong.

About passwords

A Lifehacker post from 2011 argues for using common phrases as passwords instead of “complete gibberish”, as they take longer to crack. The post is interesting and the comments enter the realms of geekism most of us avoid.

The point of the article is that a phrase like “this is fun” (including spaces as part of the password) is more difficult to guess than a password made up of a group of letters and numbers, and it’s easier to remember.

It sounds crazy, but according to this site, which tests the strength of a password, it’s true.

In the WordPress scenario the bot or person already knows the username (admin), the URL of the login page (if WordPress is installed in the root directory), so all it has to do is guess the password.

Here’s the results of some passwords I tested. What you see is the length of time it could a desktop PC running hacking software to guess the password:

  • password – instantly (duh!)
  • t1m3tabl3 – 7 hours
  • calculator – 9 hours
  • wimfsiltc*** – 178 years
  • iutla164*!” – 1,000 years
  • i!love!winter – 7,000 years
  • i love winter (spaces included) – 24,000 years
Secure Password

I’m sure none of us will need a password for 24,000 years, but at the other end of the scale, using a password that takes just seven hours to crack is very risky. And using an almost lethal combination of admin and password is insane – you’re asking for trouble.

Wrapping up

Your average WordPress blog will never be fully secure. But I believe you should do as much as you can to prevent people from getting access to your site. For this reason, it makes a lot of sense to keep all plugins, themes and the core files up to date. It also makes sense to close the door on a way-in people don’t often talk (or think) about – the login page.

Doing these few things will save you a lot of stress and worry should your site(s) ever become a target.

If you’re using the admin username, your homework for today is: create a new user, switch the content from admin to the new one (or an alternative) and delete admin. Don’t forget to backup your site first!

If you don’t use the admin user, you’re homework-free! Go do something you enjoy.

I’d love to read your comments on this subject. Has somebody gained access to your site this way? If so, share your story.