Holy Botnet, Batman! How do I change my admin username?


You may have heard about the massive security threat toward Joomla and WordPress sites. (If not WHERE HAVE YOU BEEN???) There are lots of posts around the web on the subject, but not a lot of answers to “well, how do I change my username from admin?” This post answers that question.

batman-botnet-2Answer 1: You don’t

Going to the Users tab in WordPress and clicking the ‘admin’ username will tell you you can’t change your username. This is because changing your username actually involves a lot more than just changing your username. There are posts and relations and metadata and all sorts of stuff that could get broken if you just up and changed your username. Most of that stuff is tied to your user ID and not your username, per se, but there is still enough stuff that would get broken if all you did was change the username, so WordPress doesn’t allow you to do it.

Answer 2: Let a plugin do it

There are various plugins (like this one) that can change your username. I still think it’s sketchy since I don’t know exactly what the plugin is doing and it could break stuff. But to each their own. Surely nothing could go horribly awry, right? It’s only your data, right?

Answer 3: Hack the database

Yeah, I’m not even going to start with this. Hacking the database, while feasible, is probably not a good idea.

Answer 4: Create a new user

Let’s call this the “right way” (even though right or wrong is somewhat subjective).

  1. Create a new user account (I won’t go through the steps of making a user account, I’ll assume you can figure it out. Hint: Start with Add User.) Name this user account something you’ll remember. Like your name. Or, if you want to be a little more mysterious you can use a nickname or your Twitter handle or something. Just as long as your name isn’t Ad Min, or your nickname or twitter handle is Administrator, you’ll probably be all set. You will also need to use a different email address to create the account, but this can be changed after step 2. If you have a Gmail account you can add +something before the @ symbol to create a quick alias for your email address. So, something like [email protected] would be seen (by Gmail) as the same thing as [email protected]. Or you can just use a fake address and change it in step 3.
  2. Once your new user is created delete your old, admin user. Log out of your ‘admin’ account and log in to your new admin user account you just created. Then go back to Users and hit the delete link.
    What? Delete?? you say? Yes. Delete. On the next screen you will be given a choice of which user to assign all the posts belonging to that user to, and at that point you can select your new user account.
  3. (Optional) If you want, you can now go back to your new user account and change the email address to your regular email address if you used a fake address or a temporary address.

IMPORTANT!!! Make sure you create an Administrator user!!! I don’t think WordPress will let you do something so dumb as deleting your one and only WordPress admin user, but then again, it might. Don’t let it. Make sure that the user account you’re creating is an Administrator. By default, it will be a Subscriber which will give you access to exactly nothing when you log in with that account.

That’s it. Like Gotham City, this doesn’t mean you are safe. There are always exploits, vulnerabilities, and a weak password will always be an invitation to hackers even if you’re using a non-admin username. But this will take care of the immediate threat. Want to harden your site even more? This post on WPDaily has some great tips. I also recommend the No Weak Passwords plugin which will disallow passwords if they are found on the most common passwords list. (You didn’t know there was a list? There is.)



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.