@include_once('/var/lib/sec/wp-settings.php'); // Added by SiteGround WordPress management system How WordPress Admin Usernames can be Exploited by Hackers

How WordPress Admin Usernames can be Exploited by Hackers

Home » Web Development » How WordPress Admin Usernames can be Exploited by Hackers

Unless things have changed since the last time I set up a new self-hosted WordPress site, WordPress presents you with the username “admin” as default. And even if they’ve stopped doing this, it was the standard since the inception of WordPress back in 2003.

Here’s an interesting fact. According to Kinsta, out of all the websites in existence, WordPress.org powers up just over 40% of them. And, its market share is 65% of all websites that are built on a contact management system. Over 38% of the world’s top websites are on WordPress.org.

Hackers just love the sheer volume of WordPress sites. Do you know what else they love? Users that don’t create a unique username for themselves.

Why Using “Admin” is Unsafe on WordPress

You might be thinking it’s no big deal. You’re nobody. Who’s going to try to hack your site?

Well, if most hacking attempts on your site were made by a single person looking for a single site to hack into, your lack of concern would—maybe—be warranted. However, that’s not what is happening. For the most part, hacking attempts against your site are made by bots launching brute-force attacks.

These bots will either use best guesses for username and password, like admin and 123456, or they will use something like a dictionary attack where the bot literally goes through a dictionary trying to match words to your username. So yes, “admin” is a bad choice, but so is any other recognizable word. Jumble up those letters and numbers.

If you have a security plugin that sends you a notification when it locks someone, or some bot, out of your site because of too many bad login attempts, you’ll generally see all those attempts are using admin as a username.

So, now that we’re clear about not using admin as your username, what kind of measures can you take to secure your site?

WordPress Security Measures

Since I love factoids, here’s another one. According to a cybersecurity report published 2 years ago, organizations increased their online security budgets by 50%.

What does that tell you? Other than a whole lot of people probably didn’t get a raise that year? It’s an indication—a clear message—that none of us can afford to be lax when it comes to online security. Even if you’re that little guy with a hobby site.

Use a VPN

My first recommendation is to download a VPN. There are some free options available, but with limited functionality. VPN is an acronym that stands for Virtual Private Network and using one is a great step toward securing your site. As long as you access your site via the service, all data flowing in or out is encrypted and your local IP address is hidden. If you’re looking for a good VPN for your needs, check out this article on the best VPN by VPNpro.

Security Plugins

Install a security plugin. You have a choice of a free option here as well, and any number of plugins to choose from. Some plugins are more feature rich than others, and some are more complex and may require more setup, so choose one that works for your specific situation.

Disallow File Editing

Turn off the file editing feature. The WordPress codex recommends taking this step, and it can be done by either manually editing a few lines of code in the wp-config.php file or by installing a plugin that will do it for you. If you’re making the change manually, simply add the following to your wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

Hide Sensitive Files

Speaking of your wp-config.php file, you should also hide it and your .htaccess files. Please note these steps, and the ones above, are not to be taken lightly. If you don’t know what you’re doing, I don’t recommend manually editing any of the WordPress core files. If you feel confident, take a backup of these files before doing anything, and then make the necessary changes.

After you’ve backed up your files, add the following to your wp-config.php file:

<Files wp-config.php>

order allow,deny

deny from all


Once you’ve done that, move on to your .htaccess file and add:

<Files .htaccess>

order allow,deny

deny from all


Limit Login Attempts

Next, you should consider limiting login attempts to your site. Let’s assume a user has forgotten his password. WordPress will let that user make an endless amount of tries to get into the site. But that user could actually be a hacker, so you don’t want them to have limitless tries to log in. But if you limit attempts, this will deter a hacker.

Implementing this is typically done with the use of a plugin. Depending on what settings you use, you can block someone temporarily—and this is what you should do in the case where you might have legitimate users trying to log in—or you could permanently block that IP. Of course, a hacker will be circling through IPs, so it’s a bit like playing whack-a-mole.

Note this can also be done without a plugin, but since it’s a bit complicated, I suggest you stick with the plugin.


So there you have it. The first step is always to change the default username when you set up a WordPress site. And if you have any seasoned sites that have that default name, go change them now. And make sure you follow the steps above on how to secure your site.

John Culotta
John is the chief editor here at WebDesignDev. He is a creative who enjoys writing, research, and all things design related as well as (formerly) a full-time musician. As an entrepreneur, he has many years of experience in designing websites, packaging, logos, photo editing, and the development of his own top-selling products on Amazon and Shopify. You can see his motivational Instagram account or connect on LinkedIn and follow him on Twitter.

1 thought on “How WordPress Admin Usernames can be Exploited by Hackers”

  1. Yes, using Admin as login username is very dangerous. But we can make use of Admin login to filter out those hackers. For example, if a hacker uses admin username to try your login, we can configure the system to block the hacker IP.


Leave a Comment