« Strong Passwords
Use an Account with Limited Access »

Delete the Default Administrator

When you install Wordpress the default administrator is given the predictable username of admin. This appears harmless but is a huge security flaw. Why?

Well, one way to gain unauthorized access to a system is through brute force cracking. This works by using a program to automatically guess possibly millions of different username and passwords combinations over and over.

Using the admin username basically speeds up the process for brute forcers because it’s just one less thing they have to figure out. In reality you should think of your Wordpress username as a second password, and therefore follow similar rules to that of strong passwords:

  • Don’t tell people your username.
  • Don’t choose an obvious username (like your real name).
  • Use a mixture of numbers and letters.

Hide your True Username

By default the username you login with is the name that is publicly displayed with your posts. You need to change this to keep it hidden:

  1. Go to the “Your Profile” page.
  2. Find the field labelled “Display your name publicly as”.
  3. Change this to something other than the username you log in with.

How to Delete the ‘admin’ User

Your Wordpress installation cannot be without an administrator. This means you need to create a new administrator before you can delete the default one. And here’s how to do exactly that:

  1. Login to the Wordpress administration area.
  2. Click on the “Add New User” link under the “Users” menu.
  3. Fill out all the necessary details, and choose a username in the same way you would choose a password. Make it complex and hard to guess.
  4. Set the “Role” to “Administrator”.
  5. Click on the “Add User” button.
  6. Logout.
  7. Login with the newly created account.
  8. On the “Authors & Users” page you’ll now have the ability to delete the original admin user.
  9. Click on the “Delete” link next to that user and you’ll be given the ability to assign all previously written posts to the new admin.
  10. Confirm the deletion.

You might also want to read...

This entry was posted on Sunday, October 4th, 2009 at 7:57 am and is filed under User Accounts & Passwords. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Delete the Default Administrator”

  1. How to Protect /wp-admin | Wordpress Security says:
    October 5, 2009 at 10:03 am

    [...] Deleting the default administrator [...]

    Reply
  2. Stealth Login | Wordpress Security says:
    October 5, 2009 at 2:10 pm

    [...] users form logging in via wp-login.php (just activate Stealth Mode). Even if someone cracks your username and password they’ll become stuck because there won’t be anywhere to [...]

    Reply

Leave a Reply