WordPress Login Security
Number 1 rule if you are setting up a new WordPress site is DO NOT USE ADMIN as your username! Use your name, your dog’s name, 12345, whatever, just don’t use Admin. It is the default WordPress user admin, don’t give the hackers a leg up by using that. If this ship has sailed; your site is already set up and your username is admin… all hope is not lost; Don’t Panic!
- Login to your website as admin
- Go to Users > Add New
- Create a new user with a different username, a secure password and set the role to administrator
- Now, logout and log back into your site as your new administrator user
- Go to Users > View All, Hover over your Admin user and click Delete
- It will ask you if you want to assign your posts to another user or just delete them. Assign them to your new administrator account.
You should also hide the username confirmation on your login screen. You can do this by inserting this simple bit of code to your theme’s functions.php. However, that is not the best practice. Even better would be for you to use a plugin. You can write a basic one like this (zip) or you can use the Secure WordPress Plugin.
Lastly, you should limit the number of failed login attempts. WordPress, by default, would allow a hacker’s bot to just keep guessing username/password combinations until they get one right even if it takes 5 years. The Limit Login Attempts plugin will prevent this from happening.