Keeping any website secure should be an ongoing process and WordPress sites are no exception. One of the easiest ways for a hacker to access your WordPress site is to simply guess your username and password.
“Admin” is the default username for many older installations of WordPress and hackers know this. Now that he has your username, all a hacker needs to do is use brute force to find your password.
This means you should change the administrator username from admin to something more personal and harder to guess.
If your Administrator level user name is Admin, you can change it in one of two ways.
(Before making any changes to your site always do a back-up!)
#1 Run a SQL query to your database
Run the following SQL query to your database replacing Your New Username with the new username you want.
UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'Admin';
If you are not comfortable running a SQL query or you have no idea what that even is, solution two is the answer for you.
#2 Set Up a new Admin account and delete the old one.
Go to the users section of your dashboard and set up a new admin level user. You will need a different email address for this account, but once it is set up and the other admin account deleted, you can change the email address back.
Log out and login with your new admin level account.
Go back to the Users section and delete the old admin account.
VERY IMPORTANT – When you go to delete the user, WordPress will prompt you to either delete all posts from the old user or transfer them to a new one. The default selection is to delete the posts – DO NOT DELETE THEM. Select transfer the posts to the new user account you set up.
Now you can go change your email address back to the old one if you need to. This is especially important if you have a Gravatar set up.
A Couple more WordPress Security Tips:
- Make sure your WordPress password is strong by using a combination of letters, numbers and special characters. Avoid passwords like these – 25 most-used passwords revealed
- Add a plugin that prevents multiple login attempts. This plugin blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
If you have any questions about WordPress security or ideas on how to make WordPress sites more secure, share them in the comments below.