Home Blog WordPress Security Why You Should Change the WordPress Administrator User ID

Why You Should Change the WP Admin User ID

Why You Should Change the WordPress Administrator User ID

The WordPress administrator account is the most targeted account on a WordPress blog or site. Therefore it is recommended to properly secure the WordPress administrator account.

One of the recommended security tweaks is to change the default ID assigned to the WordPress administrator user account. This WordPress security article explains why you should change the default WordPress administrator account ID and how to change it.

Why change the WordPress administrator user ID

If your WordPress blog or site is a victim of a targeted attack a malicious hacker can easily identify the WordPress administrator username manually or by using automated tools. If a malicious hacker identifies the username of your WordPress administrator, he can launch a brute force or dictionary attack specifically against the WordPress administrator account, thus making the attack an easier feat.

If the malicious attacker does not know the WordPress administrator username, he has to guess both the username and password during a brute force attack. This means that the chances that the attack will succeed are much less and the attack will take much longer to complete, and the longer the attack takes, the more the chances of you or the hosting provider identifying the attack, which is exactly what you want.

WP White Security Tip: By changing the WordPress administrator user ID you are protecting your WordPress from targeted attacks. To protect your WordPress from automated non targeted WordPress brute force attacks refer tothe article How to protect your WordPress from brute force attacks.

How to manually identify the WordPress administrator username

By default the ID of the built-in WordPress administrator account is 1. Therefore unless you change the ID of the WordPress administrator to a higher random number, anyone can use the URL below to identify the WordPress administrator username, irrelevant of the WordPress permalinks configured on your WordPress.

Spinner

If the WordPress administrator ID is still set to 1 the user will be redirected to the below URL, where the new username is shown at the end of the URL. For example in the below URL, the username is superadmin.

Spinner

Note: The above URLs are used as an example and will not work on the WP White Security website.

Automatically identify the WordPress administrator username

There are several free tools available online which malicious attackers can use against you, such as WPScan WordPress black box scanner.

When you launch a default WordPress security scan with WPScan, it will automatically enumerate all users which have a low / default user ID, thus uncovering the username of the WordPress administrator account. WPScan can also be used to enumerate WordPress users with higher IDs as explained in How to enumerate WordPress users with WPScan. But even though there is such functionality, the higher the WordPress administrator user ID is the longer it will take for the scanner to guess it, thus again prolonging the attack and increasing the chances of identifying and blocking the attack.

How to change the ID of the WordPress administrator

To change the default WordPress administrator account ID you need to make changes to the WordPress database, therefore before proceeding with any changes backup your WordPress. If you are new to WordPress backups refer to one of the following articles; How to make a manual WordPress backup or the reliable and secure online WordPress backups WP White Security uses.

Before you change the WordPress administrator account ID also ensure that the administrator account does not have any posts or pages assigned to it. If it does, change the author of such posts or pages to a user with Author role manually or write an SQL query to change the author ID of such posts automatically.

Once you have done a WordPress database backup, connect to your WordPress database using the MySQL command line tool or the web based phpMyAdmin and execute the below queries on the WordPress database:

UPDATE wp_users SET ID = 1024 WHERE ID = 1;

The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_users table, i.e. where the user credentials are stored.

UPDATE wp_usermeta SET user_id = 1024 WHERE user_id = 1;

The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_usermeta table, where user related data is stored.

WP White Security Tip: Always use a big number for the new WordPress administrator ID. The bigger the number is, the less chances of it being discovered because the longer it will take for a fuzzing attack to test that number.

Protecting your WordPress administrator account

Even if you think your WordPress blogs or websites might never be a victim of a targeted attack, it is still recommended you to make such a change because at the end of the day, every online website is a target. After all it only takes a few minutes to change the ID of a WordPress administrator account. Note that there is no need to change the user ID of all the other WordPress users that do not have administrator privileges, since typically the administrator account is the one that is targeted. Having said that, you should always ensure that all WordPress users use strong passwords and where possible you should hide all WordPress usernames.


17 thoughts on “Why You Should Change the WordPress Administrator User ID

  1. The query should be:

    UPDATE wp_users SET ID = 1024 WHERE ID = 1;

    and

    UPDATE wp_usermeta SET user_id = 1024 WHERE user_id = 1;

  2. f you are not comfortable with changing the ID in MySQL, an alternative could be to add a code snippet to .htaccess preventing “author=” searches, while still allowing “author” searches.

    RewriteCond %{QUERY_STRING} author= [NC]
    RewriteRule .* /? [R=301,L]

  3. Just changed user ID, user login, user nicename all in one go and found I couldn’t login.
    Changed it back on one user and logged in on another and found that even though it said administrator, in the all user section in wordpress, it wasn’t the case when I edited it. The user role wasn’t set.
    So I set it and saved it and I could then login with that user.

    My advice would be to create a temporary admin, log in with that admin, make the database changes to the other users, set and save thier roles.
    Login to check they all work, and then delete the temp admin you created.

    Hope this helps someone out!

    1. Thanks for the suggestion Brocknoviatch. That is an important thing to point out; when applying such WordPress hacks always make sure you have a backup, and do some tests prior to applying the actual hack.

  4. Thanks for the article, works like a charm 🙂
    My customer wanted to have the customer ID’s to start at 10.000, so i’ve made the admin account ID 9999, and the account created afterwards increment with 1 starting with 10.000. Just what i needed 😀

  5. Hi there, I noticed that you have to change wp_posts as well to make sure posts show their author correctly. Everything works now except the author box… any ideas?

    1. Hello Frank,

      If you have posts from such author and you change its ID then yes, you have to update wp_posts as well. What do you mean everything work except the author box? I.e. which is the author box?

      1. Hi Robert, thanks for replying to my question. I’m referring to the author box below posts that is shown based on the “Biographical Info” from the user profile. Is there a table to be updated as well?

  6. In the new version of WP 5.5 have something changed?
    For some reason in previous ones it let me change the admin ID with id changer without problem, but now I tried it with a new installation both following these steps and with ID changer and the result is that I enter the first time and then if there is no user ID 1 , even if there are other administrators, both wp-admin.php and wp-login.php crash with error, if ID 1 is returned, let them re-enter.

    1. Hi Sandy,

      Hope you are doing good.
      Nothing has changed in 5.5. It’s still the same
      The first user has ID 1.

      Can you please elaborate on the error? Thanks in advance.

      Best regards

  7. Thank you very much for these few lines of code, exactly what I was looking for.
    Everything went almost well, just at the step “Avoid WordPress User ID Conflicts” I got this error returned to me:
    Failed to execute SQL: SQL ALTER TABLE wp_users AUTO_INCREMENT = ** anynumber **; failed: Invalid default value for ‘user_registered’
    Any idea how to solve this?
    Thank you for your help !

    1. Hello Ludovi,

      Thank you for following our website and for posting the comment. That command is no longer required since WordPress automatically assigns user IDs higher than the one you assigned to the user automatically. It was required in older versions of the database. We have updated the article to reflect this. Should you have any more questions, please do not hesitate to ask.

    2. I am glad you found the article helpful Ludovi.

      That part of the code is no longer required. It was only needed in older versions of WordPress. We have updated the article to reflect this. Thank you for reporting this.

      Should you have any other questions, please do not hesitate to ask. Have a good day.


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon
newsletter-pop-up