A pretty basic security measure you can take with WordPress is to not use the default admin username on your site. The default administrator username is the subject of most brute force attacks, because as a default, it is known to everyone. If it exists the attacker only has to guess the password to gain access to your site, instead of having to guess both of them, this makes their job significantly easier. If your site has this account it is wise to remove it as soon as possible. This article will explain how you can do so.
To accomplish our goal we will create a new administrator account with a different username and then delete the default admin account.
Before we begin
The procedure is very simple, but just to err on the side of caution it is highly recommended to create a backup of the database before proceeding any further.
Create a new administrator
If we navigate to Users > All Users we will see a list of existing users on our site, if admin is not in the list, our job is done, if it is however, read on on how to fix this.
Click the Add New button and proceed to fill in the required information for the new user.
TIPS: use a different email for the new user, WordPress won’t allow you to have the same email on two user accounts so, at least temporarily, the new user will need a different email, you can modify that later if you wish. You can click the Password button to get the auto-generated password for the new user. The generator will typically output quite robust passwords so it’s recommended to use them, of course you can change the password to something else if you so desire, but avoid using birthdays, pet names, license plates, family names etc, anything that might be easy to guess, if your password is in this list, or closely relates anything on the list, change it immediately!
In the Role drop down make sure to select administrator as the new user’s role. Once done click the Add New User button to create the user. After the user is created you will be redirected to the users list.
Now log out of your site and log in using the newly created administrator account.
Delete the old administrator
Once you log in with the newly created administrator account navigate back to Users > All Users. You will be again presented with the user list which will include the administrator account we have just created. Hover over the old admin username and click the red delete link.
In the next screen you will be asked what you want to do with the content generated by this user.
If you have created important content with this user account make sure you check the Attribute all content to radio button and select either the username of the new administrator account or any other account you might want to attribute the content to. If you choose the delete all content radio button all of the user’s content will be deleted along with the account, only select this if you are absolutely sure that the default admin account had not generated any important content in order to prevent unwanted data loss. Next click the Confirm Deletion button.
The old default admin account has been deleted and your site is a little bit safer now. Hopefully you found this guide useful. Have you got any ideas on topics you’d like to see discussed on our blog? Let us know in the comments below.
I have found these steps before, and when I read yours I did try again, but am unable to get rid of the first admin. I am trying very hard to remain anonymous. Unfortunately when I registered everything I didn’t think of that. Now my user name gives me away and so does my email, as it’s a business email. I made a new username and profile and email address. Is it possible that the issue is that I cannot remove the first one because that user is attached to the payment methods?
Hello. This could be the case. WordPress should allow you to remove any user profile if you have the proper permissions. I would urge you to ask the authors of the plugin that handles the payments (for example if it’s WooCommerce, their support) if they have encountered such an issue before, and if so how you could fix the issue.
may i know how can i hide the admin username if the admin replies any of the comment in the comment section.
by default if the admin replies any of the comment then the site shows the admin username which can be a brute force attack risk.
A good option would be to keep the administrator account for administrative purposes only and create a new editor account with perhaps the same or similar nickname to use for posting and replying to comments.