Use Strong Usernames for Better Security

[ Two Passwords = Two Bad ]
Image courtesy of
Here is a quick security tip for people using popular apps on the Web. That is, apps like WordPress that may be widely used and targeted by bad actors and/or automated scripts. It’s all about adding another layer of security by hardening admin-level usernames..

Every now and then, I get an email letting me know that someone has requested a password reset for one of my admin-level WordPress accounts. The email notification was sent from WordPress and looked similar to the following:

Someone has requested a password reset for the following account:

Username: myusername

If this was a mistake, just ignore this email and nothing will happen.

Besides this just being annoying, random people/scripts should not be able to guess your admin username, let alone request to change it.

Another layer of security

Even if it’s virtually impossible to change somebody else’s password without access to their email account, keeping admin-level usernames random and difficult to guess adds another layer of protection to your site. So that’s the basic idea:

Never use the default “admin” or similar username. Always change it to something that is random and/or difficult to guess.

Why? One good reason is the very common brute-force type of attack, where scumbags run scripts trying different password/username combinations to gain access to your site. This is significantly more time-consuming and difficult to accomplish when having to guess not just the password, but the username as well.

It’s a simple yet effective way to add another layer of security to your site.

Using a difficult to guess username is like having two passwords for your account. I think this is a good way to add more protection, especially for admin-level accounts.

Keep it secret

It’s important to understand that some CMS/apps may display the admin username on the front-end of your site. For example, depending on your theme and plugins, WordPress may do this on various types of page views (e.g., Author Archives). So if possible, change the settings or template code to prevent this.

For example, in WordPress you can change which version of your name is displayed by visiting your User Profile settings. There you can change the Display Name to something other than the actual admin username. So even if you are using the default username, “admin”, or something else that is easy to guess, you can “hide” it from evil-doers by simply setting the Display Name setting to something else.