WordPress – How to “change” the admin user

Lots of people are talking about the latest attack on WordPress hosted sites.

One recommendation from Matt Mullenweg, WordPress founder, is

If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress.

That first comment is the one that seems to be confusing a lot of people.  Change it?  Change it!?!?  I can’t change a username!

“Changing” the admin account username is actually a create / delete process.  He worded it poorly but it’s still valid advice.

Here’s how you do it:

1. Log in as admin
2. Change the email address for the admin user to something else.  Anything else.  This way when you provide your email address in the following steps, you don’t generate an error.
3. Create another user, preferably with a hard to guess username
4. Enter your email address
5. Choose a password that is difficult to guess.
  • Use all 4 of the following: Upper and Lower Case letters, numbers and special symbols (!@%#^&*, etc)
  • better still, use a password generator.  I prefer offline generators like the ones contained in password keepers  (more about that below) like Password Corral and KeePass, there’s less likelihood that someone’s watching and recording generated passwords, but likely most well known sites are safe too. This one is by Symantec.
  • Record this password somewhere that it can’t be stolen.  I use both Password Corral and KeePass.
6. Assign that user Administrative privileges
7. Click “add new user”
8. Log out of admin, log in as the user you just created
9. Delete the Admin user
10. Assign posts, etc the new user, or another user.
Extra Credit:
11. Create another user, same guidelines as above, but with editor permissions.
12. Log in as the non-administrative user when doing anything other than admin work. You don’t need to be admin to blog about your cat/dog/food project/latest quilt

Also in his comment above, he mentions if your WP installation isn’t up to date, do the updates.

This includes your plugins and your themes.  Let’s be honest, it’s a bit of a pain sometimes to do the admin when all you want to do is blog, but the latest version of your WordPress software, your plugins, and your themes are the most secure.  It really only takes a couple of seconds.

Today’s attack is about trying to gain admin access to your blog through brute force.  This is only one way to do it.  There are other ways, and usually those ways are by using vulnerabilities in the software on the site.  Plugins, themes, and wordpress itself are all software.  Give yourself the best chance at keeping control of your site, and keep it up to date.

As always, if you have questions about this, or just need a little help, leave a comment below, or you can always reach us via email or phone.

One thought on “WordPress – How to “change” the admin user”

Hey! I'd love to hear what you think of this!