Keep Your WordPress Blog Secure : Get New Administrator Account And Delete Default ‘admin’ User

Why a need to delete the ‘admin’ user?

Each and every WordPress installation comes with a default administrator with username ‘admin’ and I know some weird (but highly secure) password. Most of the times we do change the password to make it a bit simple so that we can remember it. In fact, most of us create a new user that represents us with administrative access.

But, unfortunately we do not feel a need to delete the by default ‘admin’ user, as we feel that it has no impact and we don’t have enough time to look into that. Some of us also fear that if we delete that username, may be we would lose access to our WordPress installation. But believe me, no such thing is going to happen, it is very necessary to get rid of this ‘default’ user because…

1. Most of the hackers and crackers trying to hack WordPress installation are malicious bots

2. These hackers do not need to guess your WordPress administrator username because they too are aware of this default ‘admin’ username

3. Now the only thing they need to do is to guess or brute force your password, and if you have made it a bit simpler, then again you are more unfortunate there.

So, hard to guess administrator username also adds one layer of security to your wordpress installation, so better create a fresh new Administrator account and delete the default ‘admin’ user.

Steps to get rid of default admin user

1. Login to wp-admin using ‘admin’ user or any administrator account

2. Take a backup of your WordPress database, there are many free wordpress plugins available for this purpose, what I use is WP-db-backup for this purpose. There is no risk involved in deleting ‘admin’ user, still better to have the recent backup with us.

3. If you do not have any other administrator except ‘admin’ user, create a new administrator user. On your wp-admin panel => Go to Users section in the left sidebar => Click Add New => Create a New User with a non guessable Username, put First name and Last name and some strong password with combination of capital and small letters and some special characters and also you need to put email ID which is not registered with any other user on that WordPress Installation => select ‘Administrator’ from the ‘Role’ dropdown box (very important) => Click on ‘Add User’

Now, a new user as ‘Administrator’ is created. You can view the user thru Users => Authors and Users on wp-admin panel, left sidebar. Confirm that whether the user created by you is appearing there with ‘Administrator’ role.

4. Now log out of ‘admin’ user and login using the new username you have just created. Go to Users => Authors and Users => When you would hover on ‘admin’ username you would see two links ‘Edit’ and ‘Delete’, click Delete

admin-user

Once you click ‘Delete’, if there are posts written by ‘admin’ username, WordPress will ask you what to do of those posts and links.

delete-admin

You can either select to ‘Delete all posts and links’ or you can ‘Attribute all posts and links’ to a particular user, maybe with a role Editor. Do not use the newly created administrator account to write any posts and create any links i.e. never make the administrator as an author of any post, attachment, comment or anything. What I suggest is create a new user with ‘Editor’ role for yourself and transfer all the posts by admin to this user.

Press ‘Confirm Deletion’ now to delete the ‘admin’ account.

Rename the ‘admin’ account thru SQL query

You can also rename the ‘admin’ username rather than deleting it by executing a simple SQL query on your phpMyAdmin panel or in the MySQL command-line client as follows:-

UPDATE tableprefix_users
SET user_login='newuser'
WHERE user_login='admin';

Replace tableprefix with the WordPress database table prefix (can be found in the wp-config.php). Generally it is ‘wp_’. Replace newuser with the required username.

Now you have a new admin account with a good and unique username. Please keep it only for administrative activities and controls. I again write,  avoid posting any posts or pages or attachments or comments using this account. This may again aid hackers to guess your administrator account username.

Please post your valuable comments on the importance of ‘admin’ username deletion in the comments section of this blog post. All your suggestions are welcome and will definitely help me to enhance this article and make it a bit helpful for all the other readers.

7 Comments

  1. Keith Davis

    November 7, 2009 at 5:44 pm

    Hi you two
    Thousands of posts out there about deleting default admin user, but you have gone a step further and explained that you shouldn’t use the newly created administrator as author of posts.

    I shall do as you suggest and create new “administrator” and new “editor” to write posts and then delete default admin.

    Question… when signed in as new administrator, can I write a post and then asign the post to the newly created “editor”? Or do I have to be logged in as the editor?

  2. Sanjeev Mishra

    November 8, 2009 at 4:08 am

    You can choose any of the options to write post. You may write post with administrator ID and then assign those posts to editor thru “quick edit” or edit. I would suggest you to use Administrator accounts for changes in settings, appearances, plugins etc and for posts, you should use editor accounts. We don’t do changes in settings everyday, so the administrator accounts should not come into picture on each day. This is a good practice as if by any chance, you forget to change the author from administrator to editor, you would expose your admin ID, which is not good for security reasons explained in this post.
    Thanks for the compliments, I am really excited that you liked the post.

  3. Keith Davis

    November 8, 2009 at 12:56 pm

    Thanks for quick response Sanjeev.

    I’ll get stuck-in today and do as you suggest.

    Regards

  4. Keith Davis

    November 15, 2009 at 8:06 pm

    Hi Sanjeev
    Went through the tutorial and did as you suggest.

    Only one small problem… can’t get WordPress admin panel to remember username / password info. It used to remember username and password of old admin sign in.

    Perhaps it’s better not to remember it… any thoughts?

  5. Sanjeev Mishra

    November 16, 2009 at 3:28 am

    If you are using your own system rather than a cyber cafe’s PC, you can save your User ID and password on browser. That is safe. Regarding not able to remember password in browser, you can clear the passwords stored in browser and then try to login with your new ID and password. This will solve your problem for sure.

  6. Ian Roke

    January 19, 2010 at 4:10 pm

    Great minds think alike! I wrote a post on my blog yesterday detailing how I “dumb down” the admin account by creating a new user account with the Administrator role and changing the role to Subscriber on the admin account. I then create a random 14 character password with an online password generator to make it even harder to hack.

    The post is at http://blog.ianroke.co.uk/2010/01/dumb-down-admin-account-new-wordpress-installations/ if you are interested.

    Interesting read thank you. Ian.

  7. anna

    May 15, 2010 at 6:11 am

    Great post. My problem is a dumb rookie mistake. I deleted admin without assigning full access to my new user, I didn’t know I had to. Now I can’t get into my dashboard. Any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>