WordPress Usernames and Passwords

Posted by on Oct 3, 2012 in Blog, Security | No Comments

Hackers love the user name ‘admin’. half the hacking problem solved for free. Hacking happens unfortunately often. Doing support I am asked to login to at least 4 or 5 peoples sites every day. At least 50% use admin as their username! Stop people! Make a simple change to protect yourself. There is much more to security but not leaving a key under the flowerpot is a good start. So read the notes on user names and passwords and then follow the steps to remove that hacker invitation.

Valid WordPres User name characters:

_ (underscore)
. (period)
– (hyphen)
@ (at sign)


You can also use passphrases – whole sentences, such as quotes or favorite song lyrics. Passphrases are harder to guess yet easier to remember. They take longer to type, but are considered more secure, especially if you pepper them with some random numbers and special characters. This is enormously difficult to crack by brute force but would be easy to remember..
Fore a deeper explanation see this cartoon

However, even if you manage to think of a good password, it will only be as secure as the number of sites you use it on. If you always use the same password on every site you sign up for, the chances of your password getting compromised are greatly increased.

Instead of trying to keep track of dozens of passwords in your head or in unsecured text documents on your desktop, use password management software. They will lock all your information down behind one single password. If you only have to remember one password, you can make it as random and as hard to guess as you want.

These are some password managers. I personally think 1Password is worth the money:

Keepass – Open Source, free to download and use. Available for Windows, Mac and Linux.
LastPass – Free service with premium option. Available for all major OSs, browsers and mobile devices.
1Password – Paid download. Available for Windows, Mac and iOS, with support for all major browsers.
Your data – your responsibility.

Remove the default Admin user

Always when you start a WordPress site remove the ‘admin’ user, BUT follow these steps so that you do not lose all of your data. It is easy but the urge to quickly click without reading can skip a step and everything is gone. Bad design on WordPress part I think.

  1. Make a new user first with a hard name to guess, not your name, not the site name, not even real words. The user name can only have certain characters. See info panel below
  2. Make the password really difficult too. You can use a password generator http://freepasswordgenerator.com/ or just tricks like substituting $ for S,* for i and ^ for v making a word you can remember.
  3. Make that User have full Administrator privileges.
  4. Logout and log back in as as that user and make sure it works and you have full Administrator privileges. Don’t skip this step
  5. Before you delete read all of this step, do not click too fast!!
    Click delete under the ‘admin’ user name. A delete users page opens do not forget to check “attribute all posts and links to” and choose your new user. If you do not you will lose everything!!!!

Leave a Reply