How Your WordPress Admin Username can be Exploited by Hackers


Unless things have changed since the last time I set up a new self-hosted WordPress site, WordPress presents you with the username “admin” as default. And even if they’ve stopped doing this, it was the standard since the inception of WordPress back in 2003. That’s 16+ years on WordPress sites that use “admin” as the username.

Here’s an interesting factoid. Out of all the websites in existence, WordPress makes up just over 30% of them. And it encompassed more than 60% of all websites that are built on a contact management system.

Hackers just love the sheer volume of WordPress sites. Do you know what else they love? Users that don’t create a unique username for themselves.

Why Using “Admin” is Unsafe

You might be thinking it’s no big deal. You’re nobody. Who’s going to try to hack your site?

Well, if most hacking attempts on your site were made by a single person looking for a single site to hack into, your lack of concern would—maybe—be warranted. However, that’s not what is happening. For the most part, hacking attempts against your site are made by bots launching brute-force attacks. These bots will either use best guesses for username and password, like admin and 123456, or they will use something like a dictionary attack where the bot literally goes through a dictionary trying to match words to your username. So yes, “admin” is a bad choice, but so is any other recognizable word. Jumble up those letters and numbers.

If you have a security plugin that sends you a notification when it locks someone, or some bot, out of your site because of too many bad login attempts, you’ll generally see all those attempts are using admin as a username.

So, now that we’re clear about not using admin as your username, what kind of measures can you take to secure your site?

WordPress Security Measures

Since I love factoids, here’s another one. According to a cybersecurity report published 2 years ago, organizations increased their online security budgets by 50%.

What does that tell you? Other than a whole lot of people probably didn’t get a raise that year? It’s an indication—a clear message—that none of us can afford to be lax when it comes to online security. Even if you’re that little guy with a hobby site.

Use a VPN

My first recommendation is to use a VPN. You can even use a free VPN service. VPN stands for Virtual Private Network and using one is a great step toward securing your site. As long as you access your site via the service, all data flowing in or out is encrypted and your local IP address is hidden. If you’re looking for a good VPN for your needs, check out this article on the best VPN by VPNpro.

Security Plugins

Install a security plugin. You have a choice of a free option here as well, and any number of plugins to choose from. Some plugins are more feature rich than others, some are more complex and may require more setup, so choose one that works for your specific situation.

Disallow File Editing

Turn of the file editing feature. The WordPress codex recommends taking this step, and it can be done by either manually editing a few lines of code in the wp-config.php file or by installing a plugin that will do it for you. If you’re making the change manually, simply add the following to your wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

Hide Sensitive Files

Speaking of your wp-config.php file, you should also hide it and your .htaccess files. Please note these steps, this and the one above, are not to be taken lightly. If you don’t know what you’re doing, I don’t recommend manually editing any of the WordPress core files. If you feel confident, take a backup of these files before doing anything, and then make the necessary changes.

After you’ve backed up your files, add the following to your wp-config.php file:

<Files wp-config.php>

order allow,deny

deny from all


Once you’ve done that, move on to your .htaccess file and add:

<Files .htaccess>

order allow,deny

deny from all


Limit Login Attempts

Next, you should consider limiting login attempts to your site. Let’s assume a user has forgotten his password. WordPress will let that user make an endless amount of tries to get into the site. But that user could actually be a hacker, so you don’t want them to have limitless tries to log in. But if you limit attempts, this will deter a hacker.

Implementing this is typically done with the use of a plugin. Depending on what settings you use, you can block someone temporarily—and this is what you should do in the case where you might have legitimate users trying to log in—or you could permanently block that IP. Of course, a hacker will be circling through IPs, so it’s a bit like playing whack-a-mole.

Note this can also be done without a plugin, but since it’s a bit complicated, I suggest you stick with the plugin.

So there you have it. The first step, always change the default username when you set up a WordPress site. And if you have any seasoned sites that have that default name, go change them now. And make sure you follow the steps above on how to secure your site.

1 thought on “How Your WordPress Admin Username can be Exploited by Hackers”

  1. Yes, using Admin as login username is very dangerous. But we can make use of Admin login to filter out those hackers. For example, if a hacker uses admin username to try your login, we can configure the system to block the hacker IP.


Leave a Comment

100+ Free Design Resources

Sign up for our email newsletter and get instant access to download our exclusive designer freebies pack, including:

  • 100 HD blurred backgrounds
  • Realistic web shadows pack
Download Now