The WordPress administrator account is the most targeted account on a WordPress blog or site. Therefore it is recommended to properly secure the WordPress administrator account.
One of the recommended security tweaks is to change the default ID assigned to the WordPress administrator user account. This WordPress security article explains why you should change the default WordPress administrator account ID and how to change it.
Why change the WordPress administrator user ID
If your WordPress blog or site is a victim of a targeted attack a malicious hacker can easily identify the WordPress administrator username manually or by using automated tools. If a malicious hacker identifies the username of your WordPress administrator, he can launch a brute force or dictionary attack specifically against the WordPress administrator account, thus making the attack an easier feat.
If the malicious attacker does not know the WordPress administrator username, he has to guess both the username and password during a brute force attack. This means that the chances that the attack will succeed are much less and the attack will take much longer to complete, and the longer the attack takes, the more the chances of you or the hosting provider identifying the attack, which is exactly what you want.
WP White Security Tip: By changing the WordPress administrator user ID you are protecting your WordPress from targeted attacks. To protect your WordPress from automated non targeted WordPress brute force attacks refer tothe article How to protect your WordPress from brute force attacks.
How to manually identify the WordPress administrator username
By default the ID of the built-in WordPress administrator account is 1. Therefore unless you change the ID of the WordPress administrator to a higher random number, anyone can use the URL below to identify the WordPress administrator username, irrelevant of the WordPress permalinks configured on your WordPress.
If the WordPress administrator ID is still set to 1 the user will be redirected to the below URL, where the new username is shown at the end of the URL. For example in the below URL, the username is superadmin.
Note: The above URLs are used as an example and will not work on the WP White Security website.
Automatically identify the WordPress administrator username
There are several free tools available online which malicious attackers can use against you, such as WPScan WordPress black box scanner.
When you launch a default WordPress security scan with WPScan, it will automatically enumerate all users which have a low / default user ID, thus uncovering the username of the WordPress administrator account. WPScan can also be used to enumerate WordPress users with higher IDs as explained in How to enumerate WordPress users with WPScan. But even though there is such functionality, the higher the WordPress administrator user ID is the longer it will take for the scanner to guess it, thus again prolonging the attack and increasing the chances of identifying and blocking the attack.
How to change the ID of the WordPress administrator
To change the default WordPress administrator account ID you need to make changes to the WordPress database, therefore before proceeding with any changes backup your WordPress. If you are new to WordPress backups refer to one of the following articles; How to make a manual WordPress backup or the reliable and secure online WordPress backups WP White Security uses.
Before you change the WordPress administrator account ID also ensure that the administrator account does not have any posts or pages assigned to it. If it does, change the author of such posts or pages to a user with Author role manually or write an SQL query to change the author ID of such posts automatically.
Once you have done a WordPress database backup, connect to your WordPress database using the MySQL command line tool or the web based phpMyAdmin and execute the below queries on the WordPress database:
UPDATE wp_users SET ID = 1024 WHERE ID = 1;
The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_users table, i.e. where the user credentials are stored.
UPDATE wp_usermeta SET user_id = 1024 WHERE user_id = 1;
The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_usermeta table, where user related data is stored.
WP White Security Tip: Always use a big number for the new WordPress administrator ID. The bigger the number is, the less chances of it being discovered because the longer it will take for a fuzzing attack to test that number.
Protecting your WordPress administrator account
Even if you think your WordPress blogs or websites might never be a victim of a targeted attack, it is still recommended you to make such a change because at the end of the day, every online website is a target. After all it only takes a few minutes to change the ID of a WordPress administrator account. Note that there is no need to change the user ID of all the other WordPress users that do not have administrator privileges, since typically the administrator account is the one that is targeted. Having said that, you should always ensure that all WordPress users use strong passwords and where possible you should hide all WordPress usernames.