Wordpress Security Tip: admin USER Change Query - My Team Changed about 100+ Sites in an Hour

by 21 replies
24
Hi Warriors,

Due to recent WordPress security attack, the #1 thing recommended was to change "admin" username to "someAdmin" as it was the weakest link for your site security.

I have two servers for local client's hostings and there are so many old WP sites, that it was almost impossible to go back and check which site had 'admin' username and then change that as we also had no admin passwords... so we passed this resolution...

1. Let's change all 'admin' to something secure like 'gm13Admin'
2. One person dedicated to phone and email support for any inquiry from local clients for passwords/login not working, to tell them that use new use i.e. instead of 'admin' use 'gm13Admin'
3. Let's do this on server level fast, with a query, which will check if user is 'admin' only then change to secure username... i.e. do not bug with already secure usernames.

Result: Two servers took less than an hour, and all sites were checked against 'admin' user and changed to secure admin where needed...

You can do something similar if you have so many Addon domains, sub-domains and wp installs on all of them...

WARNING: Only do it if you know how to deal with phpMyAdmin and you know what you are doing, otherwise get your goto guy for tech support and ask them to do it, they will charge max an hour rate for 1hr job max.

Steps:
1. Login to Cpanel and access phpMyAdmin
2. In the right side, select WP database one by one, and then
3. click SQL , Paste the following query in it and click GO , thats it!
4. Repeat step#2 and #3 for all other wordpress databases.

Here is query:

Code:
UPDATE wp_users SET user_login = 'gm13Admin' WHERE user_login = 'Admin';
UPDATE wp_users SET user_login = 'gm13Admin' WHERE user_login = 'admin';
UPDATE wp_users SET user_nicename = 'Web Admin' WHERE user_nicename = 'admin';
What this Code does:
Line1&2: It checks if there is username 'admin' or 'Admin' then change it something like 'gm13Admin' (you can write anything here, it will be your new login username)

Line3: It checks if your username which shows to public like Posted by: Admin is 'admin' then change it to 'Web Admin' or anything you like to change to like your name or 'Site Admin'

Note: It does not change your username or nicename/public author name, when it does not find the 'admin' as username/nicename...so it is safe to use even if you have other usernames , it will not change that...

Hope this help you take care of big lot of websites and catch any forgotten WP install which may date back to 2008 when default username used to be 'admin'...

Let me know if you have any questions.

Thank you,
Mohsin Rasool
#main internet marketing discussion forum #100 #admin #admin user #change #change admin #changed #hour #query #sites #team #user #wordpress #wordpress security
  • Thanks very much for this.
    Really useful.
    I wonder though if it is worth having the same login name for many sites...could be just as dangerous as having admin.
    • [ 1 ] Thanks
    • [1] reply
    • [DELETED]
    • You are welcome.

      You are right, it should be changed to something unique for each site.

      Please note, this changed only the names which were 'admin' i.e. no unique names were changed.

      Also it was emergency measure, and as 'admin' is universly risky to use, anythnig other than 'admin' is better until more unique names are used.

      Also as our customer call in and asked why they could not login, we told them about username change , and even advised them to change to something unique for themselves,
      so we can avoid same username for all network thing which you rightly mentioned.

      Thank you,
      Mohsin
  • Thanks for that.
    Do you have SQL query for changing individual site login name?
    • [1] reply
    • If i get your question right, it will work on any individual WP site.

      If i did not get your question, you can pm me your case, and i can modify this query for that.

      Regards,
      Mohsin
  • I thought the login can be changed in Wordpress itself so you don't need to use phpMyadmin. Is this correct?
    • [2] replies
    • Yes, that is correct. So that's fine if you only have one or two sites of your own.

      This method makes it faster and easier for bulk updates.

      Not being a WP SQL expert I'd also like to see the query that lets you set the password.
      • [1] reply
    • If you have only one user, and that is default 'admin' user, you cannot edit or delete it from the WP dashboard. That is the case with most 'admin' user sites, which were mostly installed with cpanel Fintastico or Hostgator's Quick Install or Softaclous.. these sites mostly have one username created and mostly 'admin' as username...

      In that situation you need to change it from MySQL easily using query like in OP.

      Also as in the situation we were, we did not have the passwords for many sites, so above method gave you option to change 'admin' username (to remove the security issue) without even having the password of each WP site... so it was quick and get the job done little SQL thingy

      Regards,
      Mohsin
  • Thanks for this info.

    In terms of security, the more the better.

    Cheers,

    Gary
  • I guess I'm in the minority but I've always used something different than 'admin' which has also been recommended by Wordpress for years. How do "Wordpress Experts" use admin in the first place?
    • [2] replies
    • Indeed, Bruce.
      I was in a group chat where someone had been asking how to change admin (didn't want to use cpanel/phpMyAdmin)...and then claimed to do WP security. (Okay, among OTHER things...)

      I'm pretty fond of WordFence, which is freely available on WordPress.org (they do have a paid option, but the free options is sweetly powerful.)

      It's not a complete security solution ... and it can potentially be confusing (and scary) for people who can't read code...but it found a couple of backdoors in a customer's account ... and that sold me.
    • You are right, when doing manual install I have always gone with non-admin user. However it is fact that when Fintastico and QuickInstall got famous, then you cannot stop your client using automatic installs on your server using these tools, which used to put 'admin' as username with no option to choose the other username.

      I and my team also have used these quickinstall tools when one has to install some demo wp to test some plugin or theme on fresh install... same goes with clients who have cpanel access to our servers...they too will install some WP to test something at sub-directory level. years ago and forget to remove that install when testing is done... that is how 'admin' username gets used and end up being on your server , even when you are Wordpress Expert


      -Mohsin
  • Since the beginning, I have used the same login name similar to the one below for all my blogs.

    If I was starting over now, I would create it the same way and come up with a different one like zVcaWj913Tq0 maybe a couple of characters longer or shorter. It is impossible for anyone to come up with the login name, and if they somehow hacked a site and stole the login name, they would be dealing with an impossible to crack password.
    • [1] reply
    • I have always used a different username, see my earlier post. I prefer the installers like fantastico simply because they create the database and populate the salts in a flash. If you are concerned with using the common "wp_" prefix you can fix that in a heartbeat with either Better WP Security
      or BulletProof Security (I don't recall which or if both do it, I use them both on any blog I set up, mainly for the .htaccess patches they implement.)


  • Very crucial point!! I wrote this thread awhile ago about security, http://www.warriorforum.com/main-int...ress-blog.html, this should help raise more flaws with Wordpress.
Join the discussion

Next Topics on Trending Feed