If you’re on a self hosted WordPress account, you may have seen recently that there have been a high number of attacks against admin accounts. The best way to prevent these attacks is to remove the admin user – we’ll talk you through how to remove it.
First, log in as the admin user. Go to Users > Add New.
Create a new user, and give them an administrator role (this is the drop down at the bottom of the form)
(Avoid sending the password via email – WordPress sends this in plain text, so it’s not very secure)
Log in as the new administrator user, and go to Users > All Users. Hover over your admin user, and choose “Delete”
The following page will pop up:
If you’ve been using the admin account to publish posts previously, make sure that you choose to attribute all of their posts to another account – you wouldn’t want to lose blog posts here!
(We also recommend installing the plugin Limit Login Attempts – we increased the minutes that a user gets locked out for to 2880 minutes or 48 hours to be extra certain!)
Thanks for this – I’ve been wondering how to do that for a while!
These attacks are definitely still hammering a lot of WordPress installations.
As well as “admin”, I’ve also seen them trying usernames based on the domain name, e.g. trying to log in as “example” if the site’s called “example.com”, so you may want to avoid those names, too.