New Bookstore! Save 20% on books with discount code: LAUNCH
Web Dev + WordPress + Security

Use Strong Usernames for Better Security

[ Two Passwords = Two Bad ]Image courtesy of Here is a quick security tip for people using popular apps on the Web. That is, apps like WordPress that may be widely used and targeted by bad actors and/or automated scripts. It’s all about adding another layer of security by hardening admin-level usernames..

Every now and then, I get an email letting me know that someone has requested a password reset for one of my admin-level WordPress accounts. Usually, the email notifications are sent directly from my WordPress installation. They look similar to the following:

Someone has requested a password reset for the following account:

Username: myusername

If this was a mistake, just ignore this email and nothing will happen.

Besides this just being annoying, random people/scripts should not be able to guess your admin username, let alone request to change it.

Another layer of security

Even if it’s virtually impossible to change somebody else’s password without access to their email account, keeping admin-level usernames random and difficult to guess adds another layer of protection to your site. So that’s the basic idea:

Never use the default “admin” or similar username. Always change it to something that is random and/or difficult to guess.

Why? One good reason is the very common brute-force type of attack, where scumbags run scripts trying different password/username combinations to gain access to your site. This is significantly more time-consuming and difficult to accomplish when having to guess not just the password, but also the username.

It’s a simple yet effective way to add another layer of security

Using a difficult to guess username is like having two passwords for your account. I think this is a good way to add more protection, especially for admin-level accounts.

Keep it secret

It’s important to understand that some CMS/apps may display the admin username on the front-end of your site. For example, depending on your theme and plugins, WordPress may do this on various types of page views (e.g., Author Archives). So if possible, change the settings or template code to prevent this.

For example, in WordPress you can change which version of your name is displayed by visiting your User Profile settings. There you can change the Display Name to something other than the actual admin username. So even if you are using the default username, “admin”, or something else that is easy to guess, you can “hide” it from evil-doers by simply setting the Display Name setting to something else.

Jeff Starr
About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
WP Themes In Depth: Deep dive into WP theme development.

4 responses to “Use Strong Usernames for Better Security”

  1. Chris Tingom 2016/02/26 1:02 pm

    I picked up the username ‘superman’ on years ago and I get about 5 password reset emails every month. Invariably, someone ends up on the page (which I don’t post to often) and submits a password reset. So, yes, this is good advice.

    • Jeff Starr
      Jeff Starr 2016/02/26 1:09 pm

      Great username! (but yeah maybe could be more difficult to guess)

      Thanks for the feedback, Chris.

  2. I’m afraid that the tip to change the display name doesn’t work to mask the real username. If you go to you will see a 404. In other words the archive is always attached to the actual username.

    I think it should be possible to change that, probably with a rewrite rule or something?

    As for your suggestion to use more difficult usernames, ever since I have the 1Password app to manage all my passwords, my usernames are similar to my passwords, because I don’t need to remember them anyway anymore.

    Another idea to make a username specific to the site you need it for and then use a letter scrambler to mix up the letters to make it more difficult (read: near impossible) to guess. “pietfacebook” could then become “pefkbaiecoto” using the letter scrambler here.

    • Jeff Starr
      Jeff Starr 2016/02/29 9:16 am

      I’m not sure about the username archive always being the case, here is mine:

      ..but “perish” is not my username. It could be because I changed it awhile ago, but I’m not sure. Either way, just because the resource exists, if it’s not linked to from anywhere then it’s the same as trying to guess a password (i.e., some are stronger than others).

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
LOL @ “weekly” support: “Your request has been received and will be reviewed soon. Neil (your support guy) checks support requests weekly. Rest assured we’ll get to it!” — Gotta be kidding with this.
After several days of work, finally taking a break. If anyone needs me, I'll be in Zora’s Domain, working thru Mah Eliya shrine.
Never ever call the client a useless idiot. Even if it’s true.
Inevitable that Google shuts down Feedburner. Maybe this year? Who knows. Here is a nice summary plus alternatives.
There is no way that Marvel can serve up anything better than what they've already done with Infinity saga/Endgame. Knowhere to go but down, sadly.
I built a new search launchpad to make my life easier. So I can search multiple engines quickly and easily.
Updating all muh plugins for WP 5.5 imminent release! Wut August :)
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.