Change Admin Username WordPress
This security tip is intended to protect your WordPress site from a malicious threat known as brute force attacks.
What is a brute force attack? Good question. A brute force attack is a method where a hacker will try to gain access to your site by entering in a long list of passwords. Because they are using a ‘bot’ or a script to enter the password, they are able to test very large amounts of passwords and eventually, if given enough time, could very likely eventually stumble upon your password.
Once admin access has been granted, hackers will often proceed to install scripts on your website which effectively hands control of the website over to them. Soon, you may notice that your site has turned in to an advertisement for a Russian pharmaceutical company.
Security Tip: Change your administrative username to beanything other than the default ‘admin’
Bots are actually stupid. They don’t know what your real username is – they aren’t even targeting you specifically most of the time. Rather, they crawl the internet looking for vulnerable WordPress sites where the admin username is set to the default ‘admin’. When they come to your site, they will enter in ‘admin’ for the username and try to determine what the correct password is by guessing a million different possibilities for the password. If your password is not ‘admin’, the bot will never be able to succeed.
The truth is, even with this in place, bots can still get to you; If someone takes the time to look around on your site, they can usually determine what your admin username is. From there, you are just one brute-forced determined password away from a hacked site.
For more advanced protection from these threats, refer to the Brute Force Attacks article in the WordPress codex.
Nonetheless, this is a solid first line of defense and should be implemented on all of your WordPress sites.