Why you should never use the default ‘Admin’ username

Today, I decided to implement and test the new Google reCaptcha api.  So, while doing this, I decided to also do some routine maintenance by taking updates, reviewing my security settings, etc.  While doing this, I noticed that hundreds of lock outs were being recorded in one of my log files.  Upon looking closer, I noticed that over 100 lock outs were recorded for the ‘admin’ username.  Fortunately, I never use the ‘admin’ as a username and I also use ‘Limit Login Attempts’, but it does go to show that my login page is getting found and hackers are trying to gain access.  I am sure that these attempts to gain access aren’t by humans, but humans that have written the scripts that are getting sent out through the web on bots that crawl every site it comes across looking for login forms.

The takeaways here are:

  1. Never use ‘admin’ or ‘Admin’ as a username.
  2. Installing and activating ‘Limit Login Attempts’ really does work if for no other reason than to record lock outs in the log files
  3. You can now add Google’s reCaptcha API to my login and my Lost Password pages as well as comment forms.
  4. Create strong passwords (greater than 8 characters, use both lower and upper case letters, use at least one number and one special character, and never use a word that would be found in the English dictionary).
  5. If you want to take your site’s security to the next level, you can move or rename the login page to even make it harder to find.  There are plugins that will help with this and there are services that you can enroll that will identify malicious IP address and block them from accessing the site.