Skip to main content
How Can We Help?
< All Topics

List of Usernames to Avoid When Configuring WordPress

Originally Posted
Last Updated

When configuring WordPress, avoid using any of the usernames below. These are among the most commonly targeted usernames in brute force attacks — automated attempts by attackers to guess your login credentials by trying thousands of username and password combinations.

If you are currently using any of these usernames, we recommend changing it. See How to Change Your WordPress Login for instructions.

Usernames to avoid

  • admin
  • admin1
  • admin2
  • administrator
  • adm
  • root
  • superuser
  • su
  • sysadmin
  • manager
  • webmaster
  • webadmin
  • hostmaster
  • hostname
  • support
  • helpdesk
  • service
  • user
  • user1
  • test
  • test1
  • demo
  • guest
  • info
  • staff
  • operator
  • qwerty
  • wordpress
  • wp
  • wpuser
  • wpadmin

This is not an exhaustive list. As a general rule, avoid any username that is generic, predictable, or commonly associated with administrator accounts.

Don’t use your email address as your username

WordPress allows you to log in with either your username or your email address, so there is no need to use your email address as your username. Using your email address as a username unnecessarily exposes one half of your login credentials — your email address is often publicly visible or easily discoverable, which makes an attacker’s job easier.

Choosing a good username

Ideally your username should be unique to each site you manage. A randomly generated username like dave764393w954 is extremely difficult to guess, but has a practical downside — when you are auditing users across multiple sites it becomes hard to identify who owns which account at a glance.

A reasonable middle ground is to use a consistent personal identifier that isn’t publicly associated with you. For example, if your name is Dave Mroz and your public-facing username on the site is “Dave”, don’t use “dave” or “dmroz” as your admin username — those are easily guessed. Something like your initials combined with a number you’ll remember is harder to guess while still being identifiable during an audit.

If you manage a large number of sites, consider documenting your username conventions so you can audit access efficiently without sacrificing security.

Related articles

Need help keeping your WordPress site secure? Glimmernet offers WordPress maintenance and managed hosting with security monitoring included.

Tags:

Submit a Comment

Your email address will not be published. Required fields are marked *