Update: 11/21/12: For the past few months, I’ve been using Login Security Solution rather than Limit Login Attempts. It does all of the same functions and more. In particular, I really like that it forces all users on my sites to pick strong passwords. But even with a new plugin, the main point here—don’t use “admin”—is as true as ever.
At the suggestion of WP Tavern, I installed the Limit Login Attempts plugin for WordPress on my site a few days ago. Already, it’s caught three different IP addresses trying to login to this website, and that’s probably been going on for some time. One IP address in Russia even made three attempts. This might seem a little alarming, but I’m not very concerned. Here’s why.
A Common Hacking Technique
Automated “bots” commit a large percentage of WordPress hack attempts. Because they’re mindless, they just have to make their best guess as to a username and password. When they find a WordPress login form, they start pelting it with username and password combinations. ((This is one type of “brute-force” hacking technique. It’s not clever, it just tries over and over and over again.))
The default administrative user in WordPress is named “admin.” On every WordPress website I install, I never use the “admin” account. Not only do I not use it, I either delete it or don’t create it in the first place. ((To be clear, you still need an account with the “Administrator” role. You’ll have problems if you don’t. It’s just that you need that Administrator account to be named something other than “admin.”))
And so guess what username it these login attempts have tried? That’s right, “admin.” For my site, so far every attempt has tried to login with the username “admin,” which doesn’t exist on this site. (WP Tavern sees similar results.)
What You Can Do
So if you’re reading this and worried about your “admin” user accounts, fear not. There are multiple ways you can resolve the issue.
One strategy is to manually remove the “admin” account.
- First, create a new user with the “Administrator” role. For this site, I might use “mrw_admin” or “markrw” or “mrwweb.”
- Log out of the “admin” account.
- Log in to your new account.
- Go to “Users,” and delete the “admin” account.
- IMPORTANT: WordPress will ask you what you want to do with Posts and Pages assigned to the “admin” user. Make sure to reassign these to the new account you just created or another user. I’m pretty sure that if you leave them unassigned, they will be DELETED.
You can also try to do this using one of the plugins built to do this. I’ve never used any of them, though, so I won’t recommend one. If you try it, make sure to backup your site in case anything goes wrong.
Proceed with Caution
This certainly doesn’t mean I’m completely protected from attacks; I know I’m not. I’ve taken multiple other precautions to secure the site, and I’m always looking for ways to better lock down my site. However, it’s nice to see some data confirming that this one little change—removing the “admin” user, that is—can circumvent a lot of attacks.
Talk Back
Share other good security tips in the comments!
One thought on “WordPress Tip: Don’t Use “admin.” Seriously.”