Disable the default admin – the first thing you should do after getting a WordPress site

If you’ve followed Jerry Jenkin’s advice, you’ve gotten your own site. His tutorial is fantastic for walking you through the process of setting up the site step by step Congratulations! You’re on the web.

You’ve also just painted a large target on your back, and not just from the Internet trolls. Don’t worry, those guys will come in time, but the immediate threat is from the bad guys who want to use your domain to do bad things like infect other people’s computers. We call them bad guys for a reason.

To take over your site, the bad guys need a username and a password, and one with complete access (known as Administrator access) to the site. If they can guess a username and password to an account with administrator access, they can take it over and do whatever they want.

WordPress installs a default administrator account called Admin. Since the bad guys know it’s there, they already have a username. Now they just need to guess a password and they have many sophisticated programs which can do that for them.

Let’s take this advantage away from them. The first thing you should do after getting a WordPress site, is disable that default admin account. This post will show you how.

On the left hand side of the screen, find the Users section.

Click on Users. You should now see a link for Add User. Click on it.

That will bring you to the screen to create a new user.

The first thing you have to fill in is the user name. Take a moment to think about this. You don’t want make it something obvious. The bad guys who want to mess with your site need two things, the user name and the password. We’re taking admin away because they know its there, but the bad guy are smart. They’ve taken over many sites. They will try to deduce some likely user names.

For example, my site is tedatchley.com. After they figure out I got rid of the default admin account, one of the first user names they’re going to try is ted, and tedatchley.

Come up with a creative user name. Something easy for you to remember, but not something obvious. It’s the same concept as locking your doors, or putting a security sign in the yard. We want to do everything we can to make it hard on the bad guys so they eventually decide its not worth their time to keep messing with your site and instead go look for an easier site to hack.

Once you figure out your creative username, fill in the username, email, first name, last name, and website. Then click on Show password.

It will open up with a box showing a good strong password. I’ve fuzzed mine out because I don’t want even an example password in a public area.

If you’re going to use it, be sure you write it down somewhere and save it. You can save it to a Word or Notepad file until you get a good password manager.

Uncheck the box that says “Send the new user an email about their account”. This is an account for you. You don’t need to send yourself an email. Next, click the little black arrow next to Subscriber.

Click on Administrator. Once you’re all done, click Add New User.

You should now see two users in the list. The original admin and the one you just created.

In the right corner of the screen, you should see something like “Howdy, admin”. Move your mouse over those words and you’ll see some new options.

Double check one more time that you have your user name and password saved to that Notepad file or written down. Then click on Log Out. This should bring you back to the main WordPress log in screen.

Fill in the username and password you created and click Log In.  This should bring you back into WordPress. In the right hand corner, it should say “Howdy” and then your own user name.

Go back to the Users section.

Click the box next to the original admin user.

Next click the black arrow next to “Change role to…”

Pick Author.

Then click on Change.

Move your mouse next to the original admin users. You’ll see the words Edit, View and Delete.


Click on Delete. WordPress will ask you what to do with admin’s content.

Select Attribute all content to: and then select your name.

Then click on the Confirm Deletion button.

The admin user should no longer be in the user list and can’t be used by the bad guys.