WordPress Security Tip #1 – Get Rid of the Admin Account

by Steve on April 8, 2009

A number of people have asked me for some more detail on how to implement some of the suggestions I made in this post. So, here is the first in the series of in-depth tutorials on how to better secure your WordPress blog.

It’s important to secure your WordPress blog. We’re bombarded daily with tales of worms, virii, and Trojan Horsies. Secure this! Lockdown that! Protect yourself! Fortunately, the chances of your self-hosted WordPress blog are fairly slim, but it does happen. This is the first post in a series of how you can tighten down the security of your blog.

Step #1: Sign the online petition at http://shipthemoff.com to reopen Devil’s Island as a penal colony, and send all convicted hackers there to fend for themselves (remember Papillon?).

All right, so we can’t do that. SO, the first thing you should do is get rid of the default ‘admin’ user account that WordPress so kindly sets up for you when you install WordPress. You can do it in a few simple steps:

  1. create a new user account
  2. log out and log in under the new name
  3. delete the ‘admin’ account

Here’s how.

First step: always the very first step when you’re messing with important parts of your blog – backup your database! (I’ll be showing you how to do that in a future post)

After you’ve backed up your database, continue on:

In your dashboard, find Users and expand it. Click on Add New.

  • addnewon the Add New screen, enter your details, using a new username. Pick a username that isn’t obvious. If you really want to go all out, you can make up a username that mimics a password for effectiveness: mix upper and lower case letters and numbers (you can’t use symbols like ! ^ or @ in a username) and don’t use words that can be found in the dictionary.
  • enter your email address, and your website address (address is optional)
  • enter a new password twice. Get really creative with your password. Use at least 8 characters, preferably 12, and mix upper- and lower-case letters, numbers, and punctuation symbols, and don’t use words that can be found in the dictionary. Use something like JpXM20&33tY!89.
  • be sure to set the new user’s role to ‘Administrator’
  • when you’re done, click the ‘Add User’ button
  • at the top right corner of your window, click the ‘Log Out’ button to log out of your admin session.

Now, you’ll need to log back in as the new user you just created. If you did everything correctly, your dashboard will look identical to the admin user. If you  don’t see all of the menu options on the left, you probably didn’t set your new user up as an Administrator.

After you’ve logged back in and everything looks kosher, you’ll need to delete the original admin account. Don’t worry, you won’t be deleting your existing posts – unless you hit the wrong button :)

Click on Authors & Users again. Hover over the admin avatar, and you’ll see a ‘delete’ link (hint: if you don’t see that link, you’re still logged in as ‘admin’). Click.

deleteThe next screen allows you to either delete all posts and links associated to the admin user, or to assign them to the new user. Don’t delete all of your posts! (Personally, I think the ‘reassign’ option should be pre-selected, but that’s fodder for another day). Click the radio button to assign existing posts and links to another user, and choose your newly-created user from the dropdown box.

Click the ‘Confirm Deletion’ button, and WordPress will delete the admin account and assign the posts and links to your new account.

Next, click on the Your Profile link and complete your profile, including the dropdown box of how you want to display your name as an author.

In case of disaster:

If you managed, in the delete step, to delete all of your posts, it’s a relatively simple thing to restore them. You will, though, need to know a little bit about how to use your hosting provider’s MySQL administration tool (most likely phpMyAdmin, but yymv). More on how to restore from a backup in a future article.

{ 1 trackback }

Watch Out for Recent WordPress Gumblar PHP Exploit | GROWMAP.COM
May 14, 2009 at 8:30 pm

{ 9 comments… read them below or add one }

Adam May 13, 2010 at 8:04 am

Nice post. In addition to keeping your plugins and version of WP up to date, removing the default admin account is probably the easiest thing that can be done to improve the security of a WP blog.


Steve May 13, 2010 at 9:21 am

Agreed. Glad to see that’s going to be a new feature in 3.0 coming soon.


Joy September 27, 2010 at 1:57 pm


My WP sites are being hacked faster than I can recover them. Different hosting companies, both looking into it for me.

I have bought a new PC, changed passwords, running Spybot, Security Essentials, Malwarebytes. All come up clean, but still the sites get hacked almost as soon as I get Google to say they’re OK. I update WP as soon as I spot a new release, but haven’t yet spotted this “change admin” feature. Perhaps it’s not there yet?

Is there a way to tell if the issue is my ftp login or my wordpress login, please?



Steve September 27, 2010 at 2:19 pm

Wow, Joy – something just isn’t quite right.

When you say ‘hacked’, what exactly do you mean? Malicious javascript on your pages, that sort of thing? Something else?

My initial thought would be that what/whoever got you the first time managed to slip some stuff into the database, maybe the posts table. If that is the case, you can update WordPress until you’re blue in the face and it won’t do any good.

The ‘change admin’ isn’t a feature. The post outlines the safest way to delete your existing admin account and replace it with an administrator account with a different login username.

Do let me know what your hosting companies come up with. I’m interested in knowing just what is going on with your sites.


Joy September 27, 2010 at 6:25 pm

Hi Steve

Hosting companies stunned into silence so far LOL However, I deleted admin as per your advice on two of my blogs, so will see if they survive.

Discovered some non-WP sites also hacked, so that means WP isn’t the common link. But my PC is coming up clean and protected and has done so for three weeks now.

What is happening is that the nasty urls are inserted at the very end of either index.html or index.php files. Easy enough to spot edit out now I know what to do, but I have several blogs, only do this part-time, not very technical and I’m struggling!

Many of the nasty urls have .ru, and I notice I’m getting several .ru subscribers. Shall I delete them?


Steve September 27, 2010 at 6:58 pm

I think you’re pretty safe deleting subscribers from Russia :)

You’re in the tedious stage – cleaning out the bad stuff. I feel for ya.

Let me know, if you can, what your hosting companies finally say.


Joy September 28, 2010 at 12:15 pm

They say that: “According to the information available, only login attempts from the current IP address you are using to connect to the Internet have been recorded over the last four days. ”

They just told me to change my ftp password, but I had already done that and it’s been hacked again.

The other hosting company involved say “This was the same as the previous exploit. It looks like the FTP password was compromised and this let them log in and modify the files.”

I found a WP Security plugin – do you think that would help?


Zoran December 26, 2010 at 3:21 pm

@Joy, i had the same problem, but in my case it was my FTP client FileZilla, which keeps the username and password in plain text file, so the best advice is to change it. I hope that helps :)


Stephan October 7, 2010 at 10:18 am

Stealth WordPress admin account and other users for that matter…

Here is what I do; not sure if it is of any value, but does appease me some :-)

Using the WP-Optimize Plugin rename the Admin user to a user name that is meaningless and very difficult to guess – essentially a strong password.
Then add the Nickname: Admin
Then set the Display name publicly as: Admin (Never as the actual User Name)

User Name: SG38_hW10-29Xz
Password: Io%26ehdr1cAGt9j#wq8Y
Nicknames: Admin (or whatever makes sense i.e.: John)
Display Public as: Admin
Display Public as: John

I do that for every user that has strong privileges…

My thinking is that Hackers will be trying to guess password and all the while thinking user is Admin… At least will have to work a little harder for it ;-)

I use http://www.KeePass.info Portable Password software, so no worries about trying to remember my User/password combo.

Your opinion / feedback sincerely welcomed.



Cancel reply

Reply to Adam:

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>