Why and How To Change the Default Username on WordPress
Your WordPress login credentials are the first line of defense for your site against hackers. Using the default username ‘admin’, is harmful to your site. Do you know how to change your WordPress username?
How many hackers does it take to break into your site?
Most hacks are automated, and performed by hackers’ bots. So just as a search engine’s bots crawl the internet for content, hackers’ bots crawl for vulnerabilities that they can exploit. Unfortunately, one of the most common vulnerabilities (and the most common mistakes WordPress site owners make), can be found on the WordPress login page– in the form of weak credentials.
Why hackers attack the login page
Your WordPress site’s login page is what grants access to your site. If hackers can successfully exploit your login, then they can access your site like a seemingly ‘legitimate’ user; and can use your site to do anything they have in mind.
In the hacker’s eyes, attacking the login page is the easiest hack, especially when they have bots programmed to try commonly used username-password combinations. Attacks like Brute Force or Dictionary attacks have bots entering combinations till they crack the right one, so they’re called ‘guessing attacks’.
Why change your username?
With every character added to your login credentials, the guesses/attempts that bots have to make to gain access to your site is increases. Most people think that this only applies to the password and its strength, but they forget that the username is also part of your login credentials. Anyone trying to log in to your site must get both the username and the password right in order to gain access to your WordPress site. Using the default username (admin), therefore, makes sure that the bots have to only get the password right, in order to gain access to your site. Keeping the default username reduces the time the time taken by the bots to crack your credentials, by 50%.
Choosing anything other than the default username makes your site a little more secure, and as an extension to this, choosing a unique username is the most basic step to protecting your site.
A few factors that must be taken into consideration when choosing a username are:
- The username should be unique, but must also be a name by which you would like to be known, since it’s not going to be hidden. This would help, especially in instances where subscribers to your website will be able to see your username, or you have to moderate a discussion on your website. Hackers in general perform noncommittal attacks, meaning that they don’t personally know your site, your username, or your role on the site. As mentioned, in these cases, they usually use guessing attacks to attack your login page. Targeted attacks however, will need the hackers to observe your site for a while, so they might know your username. This isn’t a bad thing though (we’ll tell you why at the end of this article.)
- When you change your username, you won’t lose your rights as the Administrator of the site, or lose any of your content on the site.
How to change the username on WordPress
Now that we’ve established how important it is to change your WordPress username from ‘admin’, you should know how to make the change.
There are three ways you could go about changing your username on WordPress:
- From your WordPress site’s dashboard
- Using a plugin
- By making changes to your site from phpMyAdmin
1. From your WordPress site’s dashboard
Changing the username on WordPress by this method is a little weird. You have to create a new user with a new username, and attribute this new user with admin rights, as well as all the content you’d put up on the site. This means that you will not be missing anything from the original account. However, this method has one drawback: you have to use a different email address from the one used for the ‘admin’ username.
How to change your username from your WordPress site’s dashboard:
Step 1: Click on the Users tab on your WordPress site, and check out the email address attached to the ‘admin’, under Your Profile.
Step 2: Click on ‘Add New’ under the ‘Users’ tab.
Step 3: Fill out the details. Make sure to use a different email address, and password from the one used for the username ‘admin’.
Step 4: Logout, and then log back in with the new username and password.
Step 5: Go back to the ‘All Users’ tab, and select ‘Delete Users’. Make sure to attribute all your content to the new user you’ve created before hitting ‘Confirm Deletion’.
That’s it! You now have a new username that is more difficult to guess.
2. Using a plugin
This is significantly easier than creating a new user from scratch from the WordPress dashboard. To illustrate this, we’re going to be using the Username Changer plugin.
Step 1: Install and activate the Username Changer plugin.
Step 2: Click on the ‘Users’ tab on your site. You should be able to see ‘Username Changer’ right below the ‘Your Profile’ tab.
Step 3: Once you click on ‘Username Changer’, you can select which user’s details you’d like to change (in this case ‘admin’), and save the changes. You can then log out, and log back in again with the same password that you used for ‘admin’.
Congratulations! You now have a new username.
The best part about this method, is that you could use the plugin just for this purpose, and delete it once the username is changed. Doing so will not undo any changes made to the username, or affect your site negatively.
3. From phpMyAdmin
This process is a little more difficult, and requires changes to be made to your WordPress site’s database, which we don’t recommend. But if you’ve forgotten the email address you used to create your WordPress admin account, or your username, this option might come in handy. Before you follow these steps, please make sure that you have a reliable backup solution to depend on, such as BlogVault.
Step 1: Login to your cPanel, and click on phpMyAdmin (we used a site of ours hosted on HostGator for this demo).
Step 2: Select the admin database of your WordPress site.
Step 3: Click on the ‘wp_users’ table. If you’ve changed the name of this table, you might have to remember and locate it.
Step 4: Locate the username you want to edit, and click ‘Edit’.
Step 5: Type in the new username as the ‘Value’ for ‘userID’.
Note: Once you type the new username, the field will turn red. Don’t get alarmed. This is just phpMyAdmin alerting you of a change.
Step 6: Scroll to the bottom, and click on ‘Go’ for ‘Save’.
You now have a new username.
Be careful of the ways you use to ‘protect’ the login page.
While changing the username and using it in conjunction with a strong password is an essential step, there are a number of other practices that are highly recommended. However, not all of them are useful.
One of the inefficient ways to protecting your WordPress login includes the practice of ‘hiding’ the WordPress username. WordPress doesn’t recommend this measure since having a visible username not actually a vulnerability.
It is important to not follow useless, more complex procedures that might harm your site; and to focus on the real measures essential to hardening your site against hackers’ attacks. Your login credentials are the first line of defence to your WordPress site, so it’s essential for you to have strong ones.
While enforcing a strong password is critical to having a safe login page, having a unique username does its part too, in protecting against guessing attacks.
Investing in a security measure like a WordPress firewall, would help you avert hackers’ attacks even more. However, since there is no such thing as a secure website, it is important to also have an accurate, intelligent malware scanner and hack cleaner, like MalCare to deal with malicious code on your site, in case a hacker has already penetrated your WordPress site.
Akshat is the Founder and CEO of BlogVault, MalCare, and WP Remote. These WordPress plugins, designed for complete website management, allows 100,000+ customers to build and manage high-performance websites with ease.