If you have an administrator in your WordPress user list named ADMIN, you need to get rid of that account immediately. Deleting the WordPress User-Named Admin is important. Hackers know to target this username because, for many years, it was the default user created on installation.
Read more: Deleting the WordPress User-Named AdminIf you install WordPress through your hosting control panel, you are not always given a chance to change that before installation. Many unsuspecting folks, especially new users, may not see a reason to change it.
So now a hacker has 50% of the information that he needs to get into your site.
Since many will use weak (or simple) passwords, hackers can automate the submission of multiple attempts at guessing your password.
If it exists the attacker only must guess the password to gain access to your site.
Instead of having to guess both, this makes their job significantly easier.
If your password isn’t strong, they have a good chance of gaining access.
To verify whether it exists – simply log into your site and go to Users > All Users and look in the Username column for “admin”.
If your site has this account it is wise to remove it as soon as possible.
You will need to create a new administrator account with a different username first.
Then, delete the default admin account.
Other small steps you can take:
- Install the Limit Login Attempts plugin which is designed to prevent brute force attacks.
- Make sure you’re running Cloudflare on your site. Cloudflare can intercept a lot of attackers before they even reach your site.
With the old default ADMIN account now gone, your site is a little bit safer now.
Let others know that deleting the WordPress User-Named Admin is one of the first things they must do with a new site.