The WordPress administrator account is the most targeted account on a WordPress blog or site. Therefore it is recommended to properly secure the WordPress administrator account.
One of the recommended security tweaks is to change the default ID assigned to the WordPress administrator user account. This WordPress security article explains why you should change the default WordPress administrator account ID and how to change it.
Why Change the WordPress Administrator User ID
If your WordPress blog or site is a victim of a targeted attack a malicious hacker can easily identify the WordPress administrator username manually or by using automated tools. If a malicious hacker identifies the username of your WordPress administrator, he can launch a brute force or dictionary attack specifically against the WordPress administrator account, thus making the attack an easier feat.
If the malicious attacker does not know the WordPress administrator username, he has to guess both the username and password during a brute force attack. This means that the chances that the attack will succeed are much less and the attack will take much longer to complete, and the longer the attack takes, the more the chances of you or the hosting provider identifying the attack, which is exactly what you want.
WP White Security Tip: By changing the WordPress administrator user ID you are protecting your WordPress from targeted attacks. To protect your WordPress from automated non targeted WordPress brute force attacks refer tothe article How to protect your WordPress from brute force attacks.
How to Manually Identify the WordPress Administrator Username
By default the ID of the built-in WordPress administrator account is 1. Therefore unless you change the ID of the WordPress administrator to a higher random number, anyone can use the URL below to identify the WordPress administrator username, irrelevant of the WordPress permalinks configured on your WordPress.
If the WordPress administrator ID is still set to 1 the user will be redirected to the below URL, where the new username is shown at the end of the URL. For example in the below URL, the username is superadmin.
Note: The above URLs are used as an example and will not work on the WP White Security website.
Automatically Identify the WordPress Administrator Username
There are several free tools available online which malicious attackers can use against you, such as WPScan WordPress black box scanner.
When you launch a default WordPress security scan with WPScan, it will automatically enumerate all users which have a low / default user ID, thus uncovering the username of the WordPress administrator account. WPScan can also be used to enumerate WordPress users with higher IDs as explained in How to enumerate WordPress users with WPScan. But even though there is such functionality, the higher the WordPress administrator user ID is the longer it will take for the scanner to guess it, thus again prolonging the attack and increasing the chances of identifying and blocking the attack.
How to Change the ID of the WordPress Administrator
To change the default WordPress administrator account ID you need to make changes to the WordPress database, therefore before proceeding with any changes backup your WordPress. If you are new to WordPress backups refer to one of the following articles; How to make a manual WordPress backup or How to automate WordPress backup with a plugin.
Before you change the WordPress administrator account ID also ensure that the administrator account does not have any posts or pages assigned to it. If it does, change the author of such posts or pages to a user with Author role manually or write an SQL query to change the author ID of such posts automatically.
Once you have done a WordPress database backup, connect to your WordPress database using the MySQL command line tool or the web based phpMyAdmin and execute the below queries on the WordPress database:
UPDATE wp_users SET ID = 1024 WHERE ID = 1;
The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_users table, i.e. where the user credentials are stored.
UPDATE wp_usermeta SET user_id = 1024 WHERE user_id = 1;
The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_usermeta table, where user related data is stored.
WP White Security Tip: Always specify a high value for the new WordPress administrator ID. The higher the value is the less chances of it being discovered and the longer an attack will take.
Avoid WordPress User ID Conflicts
By default WordPress uses incremental values to assign user IDs to newly generated user accounts. Therefore while the built-in administrator will have a user ID of 1, the first user you create will have user ID 2, second user will have user ID 3 and so on. If you think you will create more WordPress users than the number you have used for your new WordPress administrator user ID, you should set the WordPress User ID auto increment value (the counter that WordPress uses to assign new accounts a unique ID) to a bigger value than the one used for the WordPress administrator account. To do so use the below query:
ALTER TABLE wp_users AUTO_INCREMENT = 2048
Once you execute the above query, WordPress will assign a user ID of 2049 to the next WordPress user you create.
WP White Security Tip: When setting the new WordPress auto increment value, use a much higher value than the one configured for the WordPress administrator account as seen in the above example, so attackers cannot easily determine the ID of the WordPress administrator account.
Protecting Your WordPress Administrator Account
Even if you think your WordPress blogs or websites might never be a victim of a targeted attack, it is still recommended you to make such a change because at the end of the day, every online website is a target. After all it only takes a few minutes to change the ID of a WordPress administrator account. Note that there is no need to change the user ID of all the other WordPress users that do not have administrator privileges, since typically the administrator account is the one that is targeted. Having said that, you should always ensure that all WordPress users use strong passwords and where possible you should hide all WordPress usernames.