Drastically reduce the chance of a successful brute force attack on your WordPress installation’s “admin” account

Not too long ago there was a WordPress exploit running around – the gist was someone was doing brute force attacks on login pages using the default administrator account. The problem, generalized, is that the default administrator account within WordPress is set to “admin” and cannot be changed – all a hacker has to do is use that known username, and then fire password combinations in until one hits the mark.

This is a very easy problem to solve.

Access your WordPress installation’s database – you can do this with phpMyAdmin (which most hosting environments have nowadays), or any other MySQL administration tool that suits you. In the wp_users table you should see the “admin” account – it should be the first record in that table. The user_login and user_nicename fields in that table should contain the word “admin” – change it to something different (but the same for both fields), and save those changes. And…don’t touch the password field – it’s encoded, and any change you make to it will screw the pooch forever.

You can now log into your WordPress installation using that new username, which will still maintain all administrator access rights. Hackers don’t know what it is, but they’ll still think it’s “admin”, making brute force password attempts relatively futile.

MG signing off (to change my default administrator username, since “loudmouthdouchebag” doesn’t work for me anymore)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.