Admin User Account Protection


Admin User Account Protection

What It Checks

This scanner verifies that the default "admin" user account on your WordPress site is properly protected. The admin account is typically the first account created during WordPress installation and is well-known to attackers. The scanner checks two important security aspects: first, whether an admin account with administrative privileges exists, and second, if user registrations are enabled on your site, whether a protected admin account has been created to prevent someone else from registering that username.

Why It Matters

It is important to protect the famous "admin" account to prevent simple brute-force attacks on it. This account is usually the first one created when you install WordPress, and it is well known by attackers. If an attacker knows your username is "admin", they only need to guess your password, making brute-force attacks much easier.

What You'll See

Good Status:

  • The "admin" account is correctly protected.
  • The "admin" account has no role anymore.

Bad Status:

  • The "admin" account should have no role at all.
  • Because user registrations are open, the "admin" account should exist (with no role) to prevent someone from registering it.

Warning:

  • This fix is pending, please reload the page to apply it now.

Cannot Fix Automatically:

  • Oh! The "admin" account is yours! Please choose a new login for your account in the next step.

How to Fix

This issue can be automatically fixed by SecuPress in most cases. If an admin account exists with privileges and you are not currently using that account, SecuPress will automatically remove all roles and capabilities from that account, making it harmless. If you are currently logged in as the admin user, you will need to manually choose a new username. SecuPress will guide you through this process.

If user registrations are enabled on your site and no admin account exists, SecuPress can automatically create an admin account with no roles or capabilities. This prevents someone else from registering that username and gaining administrative access.

If automatic fixes are not possible, you may need to manually remove roles from the admin account through your WordPress user management interface, or contact your hosting provider for assistance.