WordPress admin accounts are a powerful way for managing your website. Unfortunately, when you create an account with the username “admin” or any other common name, attackers have already got half of what they need to break into your site.
In this blog post we’re going to discuss how using an admin account on WordPress can leave you vulnerable to attack and what precautions you should take to protect yourself.
Table of contents
What are common admin usernames for WordPress websites?
There are many common usernames for WordPress websites, and some of the most popular are “admin“, “administrator” and just a simple username such as your name.
Most people create these accounts when they first install their wordpress website from scratch or through an automatically generated account that was created during installation (usually by a 1 click install).
This means that attackers only have to try these common usernames to find the username that actually has administrative privileges on a WordPress website. They’re already half way there.
It’s far easier for an attacker to try common usernames than it would be if they had to know your secret password.
Heres a short list of common usernames I have found over the years of administering WordPress websites:
- admin
- administrator
- site
- siteadmin
- webadmin
- wordpress
- user
- test
- support
If your site is using any of the above names – change your admin username now!
For a more conclusive and full list, I would suggest looking at this article on the f5 website.
So what is a secure username?
I recommend using a username that is not easily guessed. Here are some common rules for picking usernames:
- Do not use your name, or close variations of it.
- Avoid the names of popular children’s characters like spongebob and mickey mouse
- Your username should not be too obvious to guess and yet simple enough so that you can remember it.
- Use difficult-to-guess numbers when choosing your usernames
- If you’re having difficulty choosing a name, try online username generators if needed. NordPass and LastPass offer some.
Only use your WordPress admin account for administering WordPress
It’s not recommended to use your admin account for editing or creating articles.
You can add a separate username with lower privileges for adding blog articles or page updates to your WordPress website.
Use a secure Password alongside your secure username
Don’t use a common password that might be found in the dictionary.
Use passwords with numbers, letters and symbols to increase your account security.
Make sure you don’t share your WordPress login credentials across all of your devices or on social media sites like Facebook or Twitter.
Use Two-Factor Authentication for WordPress
Search for WordPress Two-Factor Authentication plugins and follow the installation instructions. I have used mini-orange before with great results.
Where possible always use 2fa for any service that you use, not just WordPress.
You can also use other security measures like timeouts to protect your account from brute force attacks.
Hide your WP-Login page
There are a few ways to hide your login page from prying eyes.
iThemes Security is my go to solution, but there are more plugins on the WordPress repository.
Don’t have identical login and display names
As you can see, if your display name is the same as your username, you’re somewhat giving hackers a head start. In the dropdown select something other than the username. This extra step will do a long way when setting up your user accounts.
Disable XML-RPC
You can also disable xml-rpc via the .htaccess file via FTP or through your hosting platform. (if you’re using Apache).
If you use NGINX, there’s a great article here: https://wpbeaches.com/block-xmlrpc-php-and-wp-login-php-via-nginx/
Conclusion
So how can you protect yourself against hacking? The first step is to secure your username and password with a strong, unique combination that includes numbers and special characters. Secondly, if possible, create an entirely separate account for adding blog articles from the admin panel on your website. Finally as one additional precautionary measure don’t forget to hide your admin page (security through obscurity) so only trusted people who know can access your site.