Unlimited Website Hosting

No Hidden Fees Everything Included

  • Unlimited Space
  • Unlimited Bandwidth
  • Unlimited Email
  • Cpanel the #1 control panel
  • Free Site builder with 1000+ templates
  • 24/7 Support we’re here to help

View all Hosting Plans

Don’t Make it Easy for Hackers to Attack your WordPress Website

There are over 60 million sites running WordPress. If you’re a hacker, that’s a big opportunity. If you’re a WordPress site owner, you need to take action.

WordPress comes with the default username set to “admin” and most people just leave it that way. That’s the problem. In April 2013, a brute force attack successfully gained access to thousands of WordPress accounts using a combination of the “admin” username and the most commonly used passwords (admin, 123456, 666666, 111111, qwerty and password).


Despite the widespread reach of this attack, many site owners still have not modified their site security to minimize their risk of being attacked. These attacks are ongoing and getting more and more sophisticated.

By eliminating the username that is most often targeted by hackers, you are reducing your vulnerability and taking a big step towards improving your site’s security.

WordPress founder Matt Mullenwag said “If you still use ‘admin’ as a username on your blog, change it, use a strong password, and of course make sure you’re up-to-date on the latest version of WordPress.”

That’s great advice.

Since WordPress 3.0, users have been allowed to pick a custom username upon installation.

Unfortunately, hackers (and bots) are getting smarter. Rather than simply trying ‘admin’ as the username, login attempts are being made with usernames obtained directly from the site. For example, www.mysite.com might have a username of ‘mysite’. So if your website is called www.knittingwithjane.com, don’t make your username ‘knittingwithjane’ or even ‘jane’. Names that appear in blog posts as authors are also not a good option to use. It will only be a matter of time before hackers also target these successfully.

If you didn’t change your username when you installed WordPress, take 5 minutes and do it now. It’s important.

Changing/deleting the default ‘admin’ username is easy. You need to add a new username, and then you can delete the old one.

  1. Login to your WordPress dashboard
  2. Go to Users
  3. Go to All Users (you should see your admin username here)
  4. Select “add new”
  5. Enter your new username and password (make sure your strength indicator is ‘strong’)
  6. Set the role to administrator
  7. Click Add New User
  8. Logout
  9. Login again with the new username and password
  10. Go to Users / All Users
  11. Select the ‘admin’ username
  12. Either delete it or change its role to “subscriber” (subscribers cannot edit anything on the site).
    • If you delete it, you will be asked what to do with posts associated with the admin userid. You can either delete them or assign them to the new username.

NOTE: you cannot delete a username if you are logged in as that user. Make sure you have logged out of the admin username and are logged in with the new one.

Make careful note of your new username and password. Store it in a safe location. This is how you will login to your WordPress dashboard from now on.

“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” says WordPress founder Mullenweg.

If you feel it necessary to take additional steps towards protecting your site, Two-Factor Authentication is an extra level of protection.

There are several plugins available if you search “two factor authentication” in the plugins search bar. Most require you to sign up for an account on their site first, and then you can download the plugin. Find the best one for you, but be sure to only download plugins from accredited sites (yes, this is another way hackers distribute malware). Use those that have 5 star ratings and have had many downloads. “Wordfence” is one of the recommended versions (with over 1 million downloads) and their basic version is free.

Better WP Security” is another plugin that provides a color-coded list of potential security threats. It’s easy to read and gives a “click here to fix” link to quickly and easily repair the problem. Make sure to perform the site backup prior to installation, as per the installation instructions.

As Matt Mullenweg said, don’t forget to keep your version of WordPress up-to-date. New releases contain important security updates that will help your site stay out of the hands of hackers. You should login to your WordPress account regularly to check for updates. If you have nothing to change on your site, don’t just leave it idle and open to potential threat. Check regularly for updates and install them.

This website is build on wordpress. We use the wordfence security plugin and it shows login attempts. On average we see a failed “admin” login every 2 minutes. Never twice from the same IP address. Keep wordpress and all plugins/themes updated and do not use admin as your username. Just doing those two things will go a long way to keep your site secure. We also offer a wordpress security service. With this service we monitor your wordpress install and keep it secure at all times.