Celebrating 20 years online :)
Web Dev + WordPress + Security

Use Strong Usernames for Better Security

[ Two Passwords = Two Bad ]Image courtesy of eChunks.com Here is a quick security tip for people using popular apps on the Web. That is, apps like WordPress that may be widely used and targeted by bad actors and/or automated scripts. It’s all about adding another layer of security by hardening admin-level usernames..

Every now and then, I get an email letting me know that someone has requested a password reset for one of my admin-level WordPress accounts. Usually, the email notifications are sent directly from my WordPress installation. They look similar to the following:

Someone has requested a password reset for the following account:


Username: myusername

If this was a mistake, just ignore this email and nothing will happen.

Besides this just being annoying, random people/scripts should not be able to guess your admin username, let alone request to change it.

Another layer of security

Even if it’s virtually impossible to change somebody else’s password without access to their email account, keeping admin-level usernames random and difficult to guess adds another layer of protection to your site. So that’s the basic idea:

Never use the default “admin” or similar username. Always change it to something that is random and/or difficult to guess.

Why? One good reason is the very common brute-force type of attack, where scumbags run scripts trying different password/username combinations to gain access to your site. This is significantly more time-consuming and difficult to accomplish when having to guess not just the password, but also the username.

It’s a simple yet effective way to add another layer of security

Using a difficult to guess username is like having two passwords for your account. I think this is a good way to add more protection, especially for admin-level accounts.

Keep it secret

It’s important to understand that some CMS/apps may display the admin username on the front-end of your site. For example, depending on your theme and plugins, WordPress may do this on various types of page views (e.g., Author Archives). So if possible, change the settings or template code to prevent this.

For example, in WordPress you can change which version of your name is displayed by visiting your User Profile settings. There you can change the Display Name to something other than the actual admin username. So even if you are using the default username, “admin”, or something else that is easy to guess, you can “hide” it from evil-doers by simply setting the Display Name setting to something else.

About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
The Tao of WordPress: Master the art of WordPress.

4 responses to “Use Strong Usernames for Better Security”

  1. Chris Tingom 2016/02/26 1:02 pm

    I picked up the username ‘superman’ on WordPress.com years ago and I get about 5 password reset emails every month. Invariably, someone ends up on the page (which I don’t post to often) and submits a password reset. So, yes, this is good advice.

    • Jeff Starr 2016/02/26 1:09 pm

      Great username! (but yeah maybe could be more difficult to guess)

      Thanks for the feedback, Chris.

  2. I’m afraid that the tip to change the display name doesn’t work to mask the real username. If you go to example.com/author/display-name/ you will see a 404. In other words the archive is always attached to the actual username.

    I think it should be possible to change that, probably with a rewrite rule or something?

    As for your suggestion to use more difficult usernames, ever since I have the 1Password app to manage all my passwords, my usernames are similar to my passwords, because I don’t need to remember them anyway anymore.

    Another idea to make a username specific to the site you need it for and then use a letter scrambler to mix up the letters to make it more difficult (read: near impossible) to guess. “pietfacebook” could then become “pefkbaiecoto” using the letter scrambler here.

    • Jeff Starr 2016/02/29 9:16 am

      I’m not sure about the username archive always being the case, here is mine:


      ..but “perish” is not my username. It could be because I changed it awhile ago, but I’m not sure. Either way, just because the resource exists, if it’s not linked to from anywhere then it’s the same as trying to guess a password (i.e., some are stronger than others).

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.