WordPress Security Tip: DO NOT Delete Admin User, Disarm Him!

Some tools like QuickInstall will allow you to install and configure WordPress in under one minute, however you’ll typically end up with default user name “admin”.

Wordpress Security Tip: DO NOT Delete Admin User, Disarm Him!For those who are just starting out with WordPress, there are many different types of users who can actually use your site in different ways. How they use your website and what they can do is defined by permissions and these permissions are different for each type of user. You can have contributors, authors, editors, spectators etc.

The installation and website management requires administrative access to your site and it’s only logical that your default username is “admin”, however the problem is that malicious bots “know” that and this is precisely what they are looking for.

The most common advice is to never be “admin” in the first place, but if you happened to be “admin” for whatever reason you are typically advised to create a new user with another name, give him administrative capabilities and then delete old “admin” (after assigning all old content to new author).

However even better way is to create a new user with long complicated name, give him administrative permissions and then edit “admin’s” permissions and make him, let’s say, a subscriber or a visitor. This type of users cannot do any changes to your site and even if malicious bots will succeed in guessing “admin’s” password they won’t get access to real admin dashboard, hence won’t be able to do any harm to your site or blog. So you will not delete “admin”, you will only limit what “admin” can do.

You should actually CREATE admin

In addition, if you already have long and complicated user name and do not have “admin”, I suggest that you actually create one. Of course you aren’t going to give him administrative capabilities, you are going to make him someone totally harmless, like spectator. Why to create “admin” when almost everyone advises otherwise? To mislead stupid bots.

WordPress has one problem – it tells too much. If you enter wrong username, it will tell you specifically that this username doesn’t exist. To be precise, it will say “invalid username”, so you know the problem is not in password, it’s in username. This saves hackers tons of time. If they know “admin” doesn’t exist they won’t waste time guessing “admin’s” password. They will try to guess your real username instead. But if you actually have that little harmless user called “admin”, WordPress will tell them it’s password that is incorrect so they will waste lot’s of time guessing admin’s password only to find out that all they can do is to read publicly available content.

Security-wise, it’s best to have “admin” user with limited capabilities and not do delete it altogether.

More on WordPress security here »