Over one weekend I went from getting one or two login attempts, every week or so, to over a thousand in two days. The hackers didn’t get in, but it’s still alarming. (I ran a free scan of my site over at sucuri.net and also with the new plugin, WordFence Security, just to be sure my site is still secure.) If you don’t know much about WordPress security yet, read my post on WordPress Security for Beginners.
I haven’t been able to find a reason for the sudden increase in attempts; it’s probably just bad luck. But my research led me to install a third security plugin, Wordfence. (If you install too many security plugins, they can interfere with each other, but for now this seems to be a good trio.) I now how JetPack (it has a security part), Sucuri Security, and WordFence Security – all free plugins – intalled and activated.
I had already taken care of the basics, my username is not “admin” or “administrator.” But my username did have my url as part of a longer username, and with WordFence I could see that the hackers have tried using my url as my username. It was making me nervous.
WordPress developers debate how important it is to keep your username secret and difficult to guess. You can see several developers debate it at Why Showing the WordPress Username is Not a Security Risk. My son, who’s way more technical than I am, agrees. He explained how it’s fairly easy to get tables that contain both usernames and passwords, but the passwords are encrypted. Something about the usernames can’t be encrypted, so that they can be used by the program to un-encrypt the password when you log in, yada, yada, yada. I can’t quote him word for word, but that was the jist of it. Isn’t that professional of me?
Basically, it’s only dangerous to use something like “admin” as your username if your password is also something easy to guess like 123456.
A STRONG PASSWORD is what you want to focus on.
But it was still making me nervous to keep seeing part of my administrator name showing up in the hacking attempts.
I decided to change my username, and I wanted to do it without using ftp, or changing code, or anything like that. Which means it takes a few more steps and requires that you have at least two email addresses, but it’s doable. And it also means that if you use JetPack, your site will disconnect from your JetPack account and you’ll have to reconnect it. None of the posts I found warned me about that!
How to change your WordPress Username and Password without coding
In this tutorial we’re going to change our Username and password by creating a new user, with a different email and administrator privileges, and deleting the old administrator user.
BACKUP your site before you start this process. To create a new Administrator user, you’re going to have to delete the old user and attribute all the content to the new one, and also reconnect to JetPack. Which should work without a hitch. But these are computers, so make that backup!
If you haven’t used my tutorials before, start by reading How to read my WordPress tutorials.
You will need to have at least two email addresses that you can use to do this. WordPress will only allow one user to use each email address.
Create a new WordPress User
From your WordPress dashboard:
> Users > Add New
Fill out all the required information, including
Username: will be the username you use to log into this account, as well as the name that will show up under “users” on your WordPress dashboard.
Email: must be an address that is not currently used by another user on this WordPress site, only one user per email address
Password: You won’t pick a password yet. That will be done after you receive the email.
Roll: choose “Administrator”
> Add New User
Go to your email and make sure you received your new user email.
Go back to your WordPress site, upper right hand corner, > Logout.
Go back to your email and click on the link to set your password.
Enter a new password.
> Reset Password
You will use the Username you entered when you when you set up your new user (also found in you email) and the password you just entered.
Now we need to delete the old Administrator user, to free up that email address, so that we can change the new user to the original email address.
How to delete a WordPress User
Before you do this make sure you have backed up your site!
> Users > All Users
Hover over the old Administrator User
Choose “Attribute all content to” and choose your new administrator user’s name.
> Confirm Deletion
(If you were to accidentally choose “Delete all content” is one of those times that you would want your backups!)
Now, unfortunately, your site is disconnected from JetPack. I assume JetPack is associated with the email of your old administrator user, so we’re going to change the email on your new administrator to your original email. Each email can only have one user, so you couldn’t do this until you delete the original user.
How to change the email for a WordPress user
> Users > All Users
Hover under the user, > Edit
Scroll down for find E-mail and enter your email address that is associated with WordPress.com and thus Jetpack.
> Update Profile
Connect to JetPack
Now from your dashboard
> Link your Account to WordPress.com
Check to make sure it’s connecting to the right account.
All of your JetPack settings and statistics should reappear. If not, that’s going to be where you’ll be glad you made a backup. 🙂
If you don’t have two email addresses, or don’t want to go through the hassle of having to reconnect to Jetpack, I’m sure it’s faster to just change the code – provided you don’t make any mistakes! If you want directions for how to change your username using phpmyAdmin, you can find those directions on WPBeginner.
Now, for WordPress security, it’s a good idea to create a new user as an Author or Editor to use whenever you make new posts from an un-secure location, any place where someone else can access wifi and swipe your password as you enter it To do that, see my WordPress tutorial How to add yourself as a WordPress Editor or Author.
I hope these directions work for you! Please leave a comment (if the comments on this post are closed, comment on my latest post) or contact me and let me know if you run into a difficulty. I’ll do my best to make sure my directions are clear and still up to date. However, I am not a WordPress developer and unfortunately I can not provide technical support. If you need more help, a place to start is the WordPress support forums. And check out all my WordPress tutorials.