Why You Should Change the WordPress Administrator User ID

Last updated on December 05th, 2014 by Robert Abela. Filed under WordPress Security Hacks

The WordPress administrator account is the most targeted account on a WordPress blog or site. Therefore it is recommended to properly secure the WordPress administrator account.

One of the recommended security tweaks is to change the default ID assigned to the WordPress administrator user account. This WordPress security article explains why you should change the default WordPress administrator account ID and how to change it.

Why Change the WordPress Administrator User ID

If your WordPress blog or site is a victim of a targeted attack a malicious hacker can easily identify the WordPress administrator username manually or by using automated tools. If a malicious hacker identifies the username of your WordPress administrator, he can launch a brute force or dictionary attack specifically against the WordPress administrator account, thus making the attack an easier feat.

If the malicious attacker does not know the WordPress administrator username, he has to guess both the username and password during a brute force attack. This means that the chances that the attack will succeed are much less and the attack will take much longer to complete, and the longer the attack takes, the more the chances of you or the hosting provider identifying the attack, which is exactly what you want.

WP White Security Tip: By changing the WordPress administrator user ID you are protecting your WordPress from targeted attacks. To protect your WordPress from automated non targeted WordPress brute force attacks refer tothe article How to protect your WordPress from brute force attacks.

How to Manually Identify the WordPress Administrator Username

By default the ID of the built-in WordPress administrator account is 1. Therefore unless you change the ID of the WordPress administrator to a higher random number, anyone can use the URL below to identify the WordPress administrator username, irrelevant of the WordPress permalinks configured on your WordPress.

http://www.wpwhitesecurity.com/?author=1

If the WordPress administrator ID is still set to 1 the user will be redirected to the below URL, where the new username is shown at the end of the URL. For example in the below URL, the username is superadmin.

http://www.wpwhitesecurity.com/author/superadmin/

Note: The above URLs are used as an example and will not work on the WP White Security website.

Automatically Identify the WordPress Administrator Username

There are several free tools available online which malicious attackers can use against you, such as WPScan WordPress black box scanner.

When you launch a default WordPress security scan with WPScan, it will automatically enumerate all users which have a low / default user ID, thus uncovering the username of the WordPress administrator account. WPScan can also be used to enumerate WordPress users with higher IDs as explained in How to enumerate WordPress users with WPScan. But even though there is such functionality, the higher the WordPress administrator user ID is the longer it will take for the scanner to guess it, thus again prolonging the attack and increasing the chances of identifying and blocking the attack.

How to Change the ID of the WordPress Administrator

To change the default WordPress administrator account ID you need to make changes to the WordPress database, therefore before proceeding with any changes backup your WordPress. If you are new to WordPress backups refer to one of the following articles; How to make a manual WordPress backup or How to automate WordPress backup with a plugin.

Before you change the WordPress administrator account ID also ensure that the administrator account does not have any posts or pages assigned to it. If it does, change the author of such posts or pages to a user with Author role manually or write an SQL query to change the author ID of such posts automatically.

Once you have done a WordPress database backup, connect to your WordPress database using the MySQL command line tool or the web based phpMyAdmin and execute the below queries on the WordPress database:

UPDATE wp_users SET ID = 1024 WHERE ID = 1;

The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_users table, i.e. where the user credentials are stored.

UPDATE wp_usermeta SET user_id = 1024 WHERE user_id = 1;

The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_usermeta table, where user related data is stored.

WP White Security Tip: Always specify a high value for the new WordPress administrator ID. The higher the value is the less chances of it being discovered and the longer an attack will take.

Avoid WordPress User ID Conflicts

By default WordPress uses incremental values to assign user IDs to newly generated user accounts. Therefore while the built-in administrator will have a user ID of 1, the first user you create will have user ID 2, second user will have user ID 3 and so on. If you think you will create more WordPress users than the number you have used for your new WordPress administrator user ID, you should set the WordPress User ID auto increment value (the counter that WordPress uses to assign new accounts a unique ID) to a bigger value than the one used for the WordPress administrator account. To do so use the below query:

ALTER TABLE wp_users AUTO_INCREMENT = 2048

Once you execute the above query, WordPress will assign a user ID of 2049 to the next WordPress user you create.

WP White Security Tip: When setting the new WordPress auto increment value, use a much higher value than the one configured for the WordPress administrator account as seen in the above example, so attackers cannot easily determine the ID of the WordPress administrator account.

Protecting Your WordPress Administrator Account

Even if you think your WordPress blogs or websites might never be a victim of a targeted attack, it is still recommended you to make such a change because at the end of the day, every online website is a target. After all it only takes a few minutes to change the ID of a WordPress administrator account. Note that there is no need to change the user ID of all the other WordPress users that do not have administrator privileges, since typically the administrator account is the one that is targeted. Having said that, you should always ensure that all WordPress users use strong passwords and where possible you should hide all WordPress usernames.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

10 comments

Alin 01/06/2014

The query should be:

UPDATE wp_users SET ID = 1024 WHERE ID = 1;

and

UPDATE wp_usermeta SET user_id = 1024 WHERE user_id = 1;

Robert Abela 02/06/2014

Hi Alin,

Thank you for pointing the mistake out. The article has been updated.

Laurence 13/03/2015

f you are not comfortable with changing the ID in MySQL, an alternative could be to add a code snippet to .htaccess preventing “author=” searches, while still allowing “author” searches.

RewriteCond %{QUERY_STRING} author= [NC]
RewriteRule .* /? [R=301,L]

Brocknoviatch 27/05/2015

Just changed user ID, user login, user nicename all in one go and found I couldn’t login.
Changed it back on one user and logged in on another and found that even though it said administrator, in the all user section in wordpress, it wasn’t the case when I edited it. The user role wasn’t set.
So I set it and saved it and I could then login with that user.

My advice would be to create a temporary admin, log in with that admin, make the database changes to the other users, set and save thier roles.
Login to check they all work, and then delete the temp admin you created.

Hope this helps someone out!

WP White Security 27/05/2015

Thanks for the suggestion Brocknoviatch. That is an important thing to point out; when applying such WordPress hacks always make sure you have a backup, and do some tests prior to applying the actual hack.

Thanks for the article, works like a charm 🙂
My customer wanted to have the customer ID’s to start at 10.000, so i’ve made the admin account ID 9999, and the account created afterwards increment with 1 starting with 10.000. Just what i needed 😀

Frank 18/08/2015

Hi there, I noticed that you have to change wp_posts as well to make sure posts show their author correctly. Everything works now except the author box… any ideas?

Robert Abela 19/08/2015

Hello Frank,

If you have posts from such author and you change its ID then yes, you have to update wp_posts as well. What do you mean everything work except the author box? I.e. which is the author box?

Frank 30/08/2015

Hi Robert, thanks for replying to my question. I’m referring to the author box below posts that is shown based on the “Biographical Info” from the user profile. Is there a table to be updated as well?

Robert Abela 31/08/2015

Hello Frank, that should be updated automatically since that is linked to the user profile / ID. If you have problems with that send us an email on support@wpwhitesecurity.com. We would be happy to look into that for you.

Leave a Reply

Your email address will not be published. Required fields are marked *