Save up to 25% on pro security plugins w/ our Security Bundle »
Web Dev + WordPress + Security

Use Strong Usernames for Better Security

[ Two Passwords = Two Bad ]Image courtesy of Here is a quick security tip for people using popular apps on the Web. That is, apps like WordPress that may be widely used and targeted by bad actors and/or automated scripts. It’s all about adding another layer of security by hardening admin-level usernames..

Every now and then, I get an email letting me know that someone has requested a password reset for one of my admin-level WordPress accounts. Usually, the email notifications are sent directly from my WordPress installation. They look similar to the following:

Someone has requested a password reset for the following account:

Username: myusername

If this was a mistake, just ignore this email and nothing will happen.

Besides this just being annoying, random people/scripts should not be able to guess your admin username, let alone request to change it.

Another layer of security

Even if it’s virtually impossible to change somebody else’s password without access to their email account, keeping admin-level usernames random and difficult to guess adds another layer of protection to your site. So that’s the basic idea:

Never use the default “admin” or similar username. Always change it to something that is random and/or difficult to guess.

Why? One good reason is the very common brute-force type of attack, where scumbags run scripts trying different password/username combinations to gain access to your site. This is significantly more time-consuming and difficult to accomplish when having to guess not just the password, but also the username.

It’s a simple yet effective way to add another layer of security

Using a difficult to guess username is like having two passwords for your account. I think this is a good way to add more protection, especially for admin-level accounts.

Keep it secret

It’s important to understand that some CMS/apps may display the admin username on the front-end of your site. For example, depending on your theme and plugins, WordPress may do this on various types of page views (e.g., Author Archives). So if possible, change the settings or template code to prevent this.

For example, in WordPress you can change which version of your name is displayed by visiting your User Profile settings. There you can change the Display Name to something other than the actual admin username. So even if you are using the default username, “admin”, or something else that is easy to guess, you can “hide” it from evil-doers by simply setting the Display Name setting to something else.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

4 responses to “Use Strong Usernames for Better Security”

  1. Avatar photo
    Chris Tingom 2016/02/26 1:02 pm

    I picked up the username ‘superman’ on years ago and I get about 5 password reset emails every month. Invariably, someone ends up on the page (which I don’t post to often) and submits a password reset. So, yes, this is good advice.

    • Avatar photo
      Jeff Starr 2016/02/26 1:09 pm

      Great username! (but yeah maybe could be more difficult to guess)

      Thanks for the feedback, Chris.

  2. I’m afraid that the tip to change the display name doesn’t work to mask the real username. If you go to you will see a 404. In other words the archive is always attached to the actual username.

    I think it should be possible to change that, probably with a rewrite rule or something?

    As for your suggestion to use more difficult usernames, ever since I have the 1Password app to manage all my passwords, my usernames are similar to my passwords, because I don’t need to remember them anyway anymore.

    Another idea to make a username specific to the site you need it for and then use a letter scrambler to mix up the letters to make it more difficult (read: near impossible) to guess. “pietfacebook” could then become “pefkbaiecoto” using the letter scrambler here.

    • Avatar photo
      Jeff Starr 2016/02/29 9:16 am

      I’m not sure about the username archive always being the case, here is mine:

      ..but “perish” is not my username. It could be because I changed it awhile ago, but I’m not sure. Either way, just because the resource exists, if it’s not linked to from anywhere then it’s the same as trying to guess a password (i.e., some are stronger than others).

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Wizard’s SQL for WordPress: Over 300+ recipes! Check the Demo »
Fall season almost here :)
My greatest skill on social media is the ability to simply ignore 98% and keep scrolling without interacting.
Enjoying this summer, getting some great positive energy. Refreshing and inspiring.
☀️ Pro plugin giveaway! Enter to win 1 of 4 lifetime licenses for our WordPress security plugins, including 10-site Security Bundle!
There is no end to what humans can achieve when they work together.
Excellent (and free) tool to test your site's SSL configuration.
Plugin updates! All of our free and pro plugins ready for WordPress 6.2.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.